diff --git a/po/bg.po b/po/bg.po
index 1a4df5f4b34..3f3f9291af8 100644
--- a/po/bg.po
+++ b/po/bg.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:44-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Bulgarian (http://www.transifex.com/projects/p/sssd/language/"
@@ -2334,19 +2334,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2406,81 +2406,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA домейн"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "атрибут UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Доставчик на удостоверяване"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2539,117 +2612,108 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD не е стартиран като root."
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA домейн"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2748,98 +2812,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/ca.po b/po/ca.po
index 57c9556934d..8a7d47bf7ba 100644
--- a/po/ca.po
+++ b/po/ca.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2017-10-15 03:02-0400\n"
 "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
 "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
@@ -2459,19 +2459,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2531,81 +2531,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "Domini IPA"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "L'atribut UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Proveïdor d'autenticació"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "L'ordre post-delete ha fallat: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2664,118 +2737,109 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "L'SSSD no s'està executant com a root."
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "Domini IPA"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "L'atribut que llista els serveis PAM autoritzats"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2874,98 +2938,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
@@ -3238,9 +3302,6 @@ msgstr ""
 #~ msgstr ""
 #~ "S'ha produït un error en comprovar si l'usuari havia iniciat la sessió\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "L'ordre post-delete ha fallat: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr ""
 #~ "No s'ha eliminat el directori inicial - no és propietat de l'usuari\n"
diff --git a/po/cs.po b/po/cs.po
index 024447e7133..8f599192452 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-05-20 09:18+0000\n"
 "Last-Translator: Pavel Borecki <pavel.borecki@gmail.com>\n"
 "Language-Team: Czech <https://translate.fedoraproject.org/projects/sssd/sssd-"
@@ -2493,19 +2493,19 @@ msgstr "Zadejte jméno."
 msgid "Unable to parse name %s.\n"
 msgstr "Nedaří se zpracovat název %s.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "Hledat podle SID identifikátoru"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Hledat podle identif. uživatele"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Okamžik skončení platnosti initgroups"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Hledat podle identif. skupiny"
 
@@ -2573,81 +2573,154 @@ msgstr "Zprávy vytvořené při slučování nastavení: %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Použité soubory s útržky nastavení: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Nedaří se vytvořit složku zálohy [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "SSSD záloha místních dat už existuje, přepsat?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Nedaří se exportovat přebití skupin\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Nedaří se exportovat přebití skupin\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Přepsat existující zálohu"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Nedaří se importovat přebití uživatelů\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Nedaří se importovat přebití skupin\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Pokud není, spustit proces služby sssd"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Po importu dat restartovat sssd"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Vytvořit prázdné soubory mezipaměti a importovat místní data"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Před odebráním mezipaměti zastavit sssd"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Při odebrání mezipaměti zastavit sssd"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Vytváření zálohy místních dat…\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr "Nedaří se vytvořit zálohu místních dat, nedaří se odebrat mezipaměť.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Odebírání souborů mezipaměti…\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Nedaří se odebrat soubory mezipaměti\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Obnovování místních dat…\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA doména"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "atribut UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Poskytovatel ověřování"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "Příkaz po smazání se nezdařil: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr "Zobrazit seznam domén včetně typu hlavní nebo důvěryhodná doména"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "Nedaří se připojit ke sběrnici systému!\n"
@@ -2708,118 +2781,109 @@ msgstr "Zadejte název domény."
 
 # auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId:
 # po/ipa
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Nedostatek paměti!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Nedaří se zjistit stav online\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Nedaří se získat seznam serverů\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD už je spuštěné\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Namísto zkrácení soubory se záznamem událostí smazat"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Mazání souborů se záznamem událostí…\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Nedaří se odebrat soubory se záznamem událostí\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Zkracování souborů…\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Nedaří se zkrátit soubory se záznamem událostí\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Archivují se soubory se záznamem událostí do %s…\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Nedaří se archivovat soubory se záznamem událostí\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA doména"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "Atribut vypisující pověřené PAM služby"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Zadejte stupeň podrobností ladících informací, který chcete nastavit"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "Chyba: chybí podpora pro identifikátor tevent řetězce, analýza záznamu "
@@ -2926,7 +2990,7 @@ msgstr "InfoPipe vyhledání uživatele s [%s] se nezdařilo.\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start se nezdařilo: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2934,12 +2998,12 @@ msgstr ""
 "zkoušení pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item se nezdařilo: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2948,7 +3012,7 @@ msgstr ""
 "pam_authenticate pro uživatele [%s]: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -2956,7 +3020,7 @@ msgstr ""
 "zkoušení pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -2965,7 +3029,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -2973,7 +3037,7 @@ msgstr ""
 "zkoušení pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -2982,7 +3046,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -2990,7 +3054,7 @@ msgstr ""
 "zkoušení pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -2999,7 +3063,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -3007,7 +3071,7 @@ msgstr ""
 "zkoušení pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -3016,7 +3080,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -3024,7 +3088,7 @@ msgstr ""
 "zkoušení pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3033,15 +3097,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "neznámá akce\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "PAM prostředí:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - žádné prostředí -\n"
 
@@ -3405,9 +3469,6 @@ msgstr "Informuje, že odpovídač byl aktivován přes dbus"
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Chyba při zjišťování zda byl uživatel přihlášen\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "Příkaz po smazání se nezdařil: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr "Neodebírá se domovská složka – nevlastněno uživatelem\n"
 
diff --git a/po/de.po b/po/de.po
index 44098926b5f..619bd90b160 100644
--- a/po/de.po
+++ b/po/de.po
@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-07-01 09:40+0000\n"
 "Last-Translator: Joachim Philipp <joachim.philipp@gmail.com>\n"
 "Language-Team: German <https://translate.fedoraproject.org/projects/sssd/"
@@ -2444,19 +2444,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2516,81 +2516,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA-Domain"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID-Attribut"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Authentifizierungs-Anbieter"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "Der nach dem Löschen auszuführende Befehl ist fehlgeschlagen: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2649,118 +2722,109 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD wird nicht durch Root ausgeführt."
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA-Domain"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "Attribut, welches die autorisierten PAM-Dienste auflistet"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2859,98 +2923,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
@@ -3226,10 +3290,6 @@ msgstr ""
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Fehler bei der Überprüfung, ob der Benutzer angemeldet war\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr ""
-#~ "Der nach dem Löschen auszuführende Befehl ist fehlgeschlagen: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr ""
 #~ "Home-Verzeichnis wird nicht entfernt – es gehört nicht dem Benutzer\n"
diff --git a/po/es.po b/po/es.po
index da078605cd1..ddf5ada73d2 100644
--- a/po/es.po
+++ b/po/es.po
@@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-09-11 10:19+0000\n"
 "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
 "Language-Team: Spanish <https://translate.fedoraproject.org/projects/sssd/"
@@ -2555,19 +2555,19 @@ msgstr "Especificar nombre."
 msgid "Unable to parse name %s.\n"
 msgstr "Incapaz de analizar el nombre %s.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "Búsqueda por SID"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Búsqueda por ID de usuario"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Tiempo de expiración de Initgroups"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Búsqueda por ID de grupo"
 
@@ -2635,85 +2635,158 @@ msgstr "Mensajes generados durante la configuración de la fusión: %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Configuración usada ficheros retazos: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Incapaz de crear el directorio de respaldo [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "Respaldo SSSD de datos locales ya existe, ¿anular?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Incapaz de exportar usuarios anulados\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Incapaz de exportar grupos anulados\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Anular respaldo existente"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Incapaz de importar usuario anulado\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Incapaz de importar grupo anulado\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Arrancar SSSD si no está corriendo"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Reiniciar SSSD después de la importación de datos"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Crear limpiar ficheros cache e importar datos locales"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Para SSSD antes de borrar el cache"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Iniciar SSSD cuando se haya borrado el cache"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Creando respaldo de los datos locales...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 "Incapaz de crear el respaldo de los datos locales, no se puede quitar el "
 "cache.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Borrando los ficheros del cache...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Incapaz de borrar ficheros en cache\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Restaurando datos locales...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "Dominio IPA"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Atributo UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Proveedor de Autenticación"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "El comando post-delete falló: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 "Muestra la lista de dominio incluyendo los tipos de dominios primarios y de "
 "confianza"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "¡Incapaz de conectar al bus del sistema!\n"
@@ -2772,118 +2845,109 @@ msgstr "Mostrar la lista de servidores descubiertos"
 msgid "Specify domain name."
 msgstr "Especificar el nombre de dominio."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "¡Fuera de memoria!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Incapaz de obtener el estado en línea\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Incapaz de obtener la lista de servidores\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD ya está corriendo\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Borrar los ficheros de registro en lugar de dividirlos"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Borrando ficheros de registro...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Incapaz de borrar los ficheros de registro\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Truncando ficheros de registro...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Incapaz de truncar los ficheros de registro\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Archivando ficheros de registro en %s...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Incapaz de archivar los ficheros de registro\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "Dominio IPA"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "listado de atributos de servicios PAM autorizados"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Especifique el nivel de depuración que desea fijar"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 #, fuzzy
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
@@ -2991,7 +3055,7 @@ msgstr "Búsqueda de Usuario InfoPipe con [%s] falló.\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start falló: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2999,12 +3063,12 @@ msgstr ""
 "probando pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item falló: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -3013,7 +3077,7 @@ msgstr ""
 "pam_authenticate para usuario [%s]: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -3021,7 +3085,7 @@ msgstr ""
 "probando pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -3030,7 +3094,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -3038,7 +3102,7 @@ msgstr ""
 "probando pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -3047,7 +3111,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -3055,7 +3119,7 @@ msgstr ""
 "probando pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -3064,7 +3128,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -3072,7 +3136,7 @@ msgstr ""
 "probando pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -3081,7 +3145,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -3089,7 +3153,7 @@ msgstr ""
 "probando pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3098,15 +3162,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "acción desconocida\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "Entorno PAM:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - no env -\n"
 
@@ -3473,9 +3537,6 @@ msgstr "Informa que el contestador ha sido dbus-activated"
 #~ msgstr ""
 #~ "Error mientras se verificaba si el usuario se encontraba registrado\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "El comando post-delete falló: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr "No eliminando el directorio de inicio - no pertenece al usuario\n"
 
diff --git a/po/eu.po b/po/eu.po
index 17a31f62dbe..785eea4a049 100644
--- a/po/eu.po
+++ b/po/eu.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:45-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
@@ -2327,19 +2327,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2399,81 +2399,153 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA domeinua"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID atributua"
+
+#: src/tools/sssctl/sssctl_data.c:482
+msgid "Action not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2532,116 +2604,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA domeinua"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2740,98 +2803,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/fi.po b/po/fi.po
index 1f7137ac155..357215fda7c 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-03-20 19:16+0000\n"
 "Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
 "Language-Team: Finnish <https://translate.fedoraproject.org/projects/sssd/"
@@ -2337,19 +2337,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2409,81 +2409,151 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Varmuuskopiohakemistoa ei voi luoda [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "attribute"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:482
+msgid "Action not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2542,115 +2612,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Muisti loppui!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2749,98 +2811,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "tuntematon valitsin\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/fr.po b/po/fr.po
index 651a699bc2f..785cecac39a 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -17,7 +17,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-06-24 20:18+0000\n"
 "Last-Translator: Ludek Janda <ljanda@redhat.com>\n"
 "Language-Team: French <https://translate.fedoraproject.org/projects/sssd/"
@@ -2570,19 +2570,19 @@ msgstr "Indiquez le nom."
 msgid "Unable to parse name %s.\n"
 msgstr "Impossible d'analyser le nom %s.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "Recherche par SID"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Recherche par ID utilisateur"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Délai d'expiration des initgroups"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Recherche par ID de groupe"
 
@@ -2650,85 +2650,158 @@ msgstr "Messages générés lors de la fusion des configurations : %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Fichiers de configuration utilisés : %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Impossible de créer le répertoire de sauvegarde [%d] : %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "La sauvegarde SSSD des données locales existe déjà, la remplacer ?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Impossible d'exporter les substitutions d'utilisateur\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Impossible d'exporter les substitutions de groupes\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Remplacer la sauvegarde existante"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Impossible d'importer les substitutions d'utilisateur\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Impossible d'importer les substitutions de groupes\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Démarrer SSSD s'il n'est pas en cours d'exécution"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Redémarrer SSSD après l'importation des données"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Créer des fichiers de cache propres et importer des données locales"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Arrêtez SSSD avant de supprimer le cache"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Démarrer SSSD lorsque le cache est supprimé"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Création d'une sauvegarde des données locales...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 "Impossible de créer une sauvegarde des données locales, impossible de "
 "supprimer le cache.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Suppression des fichiers de cache...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Impossible de supprimer les fichiers de cache\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Restauration des données locales...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "Domaine IPA"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Attribut UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Fournisseur d'authentification"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "La commande post-suppression a échoué : %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 "Afficher la liste des domaines, y compris le type de domaine principal ou de "
 "confiance"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "Impossible de se connecter au bus système !\n"
@@ -2787,118 +2860,109 @@ msgstr "Afficher la liste des serveurs découverts"
 msgid "Specify domain name."
 msgstr "Indiquer le nom de domaine."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Plus de mémoire disponible !\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Impossible d'obtenir le statut en ligne\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Impossible d'obtenir la liste des serveurs\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD est déjà en cours d'exécution\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Supprimer les fichiers de log au lieu de tronquer"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Suppression des fichiers journaux...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Impossible de supprimer les fichiers journaux\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Troncature des fichiers de journalisation...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Impossible de tronquer les fichiers de journalisation\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Archivage des fichiers journaux dans %s...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Impossible d'archiver les fichiers journaux\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "Domaine IPA"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "Attribut listant les services PAM autorisés"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Spécifiez le niveau de débogage que vous souhaitez définir"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "ERREUR : Prise en charge de l’ID de chaîne Tevent manquante, l’analyseur de "
@@ -3005,7 +3069,7 @@ msgstr "La recherche de l'utilisateur InfoPipe avec [%s] a échoué.\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start a échoué : %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -3013,12 +3077,12 @@ msgstr ""
 "test de pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item a échoué : %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -3027,7 +3091,7 @@ msgstr ""
 "pam_authenticate pour l'utilisateur [%s] : %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -3035,7 +3099,7 @@ msgstr ""
 "test pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -3044,7 +3108,7 @@ msgstr ""
 "pam_chauthtok : %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -3052,7 +3116,7 @@ msgstr ""
 "test de pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -3061,7 +3125,7 @@ msgstr ""
 "pam_acct_mgmt : %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -3069,7 +3133,7 @@ msgstr ""
 "test de pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -3078,7 +3142,7 @@ msgstr ""
 "pam_setcred : [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -3086,7 +3150,7 @@ msgstr ""
 "test pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -3095,7 +3159,7 @@ msgstr ""
 "pam_open_session : %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -3103,7 +3167,7 @@ msgstr ""
 "test pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3112,15 +3176,15 @@ msgstr ""
 "pam_close_session : %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "action inconnue\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "Environnement PAM :\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - aucun env -\n"
 
@@ -3516,9 +3580,6 @@ msgstr "Informe que le répondeur a été activé par un dbus"
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Erreur en vérifiant si l'utilisateur était connecté\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "La commande post-suppression a échoué : %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr ""
 #~ "Le répertoire personnel n'est pas supprimé - l'utilisateur n'en est pas "
diff --git a/po/hu.po b/po/hu.po
index eb647f50bd6..0275340ccec 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:45-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Hungarian (http://www.transifex.com/projects/p/sssd/language/"
@@ -2330,19 +2330,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2402,81 +2402,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA-tartomány"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "GECOS attribútum"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Azonosító-kiszolgáló"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2535,117 +2608,108 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "Az SSSD nem root-ként fut."
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA-tartomány"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2744,98 +2808,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/id.po b/po/id.po
index 4208561c5ea..a3ad8887b1a 100644
--- a/po/id.po
+++ b/po/id.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:46-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Indonesian (http://www.transifex.com/projects/p/sssd/language/"
@@ -2327,19 +2327,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2399,81 +2399,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "Domain IPA"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Atribut UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Penyedia otentikasi"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2532,116 +2605,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "Domain IPA"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2740,98 +2804,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/it.po b/po/it.po
index 4e9458b999e..63897425157 100644
--- a/po/it.po
+++ b/po/it.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2020-09-15 08:29+0000\n"
 "Last-Translator: Milo Casagrande <milo@milo.name>\n"
 "Language-Team: Italian <https://translate.fedoraproject.org/projects/sssd/"
@@ -2346,19 +2346,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2418,81 +2418,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "Dominio IPA"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Attributo UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Provider di autenticazione"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2551,117 +2624,108 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD non è eseguito da root."
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "Dominio IPA"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2760,98 +2824,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/ja.po b/po/ja.po
index 69d853e9884..8b368e07f41 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-06-24 20:18+0000\n"
 "Last-Translator: Transtats <suanand@redhat.com>\n"
 "Language-Team: Japanese <https://translate.fedoraproject.org/projects/sssd/"
@@ -2435,19 +2435,19 @@ msgstr "名前を指定します。"
 msgid "Unable to parse name %s.\n"
 msgstr "名前 %s を構文解析できません。\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "SID で検索"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "ユーザーID で検索"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Initgroups の期限切れ時間"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "グループ ID で検索"
 
@@ -2515,85 +2515,158 @@ msgstr "設定のマージ中に生成されたメッセージ: %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "使用された設定スニペットファイル: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "バックアップディレクトリー [%d] を作成できません: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 "ローカルデータの SSSD バックアップはすでに存在しますが、上書きしますか?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "ユーザーの上書きをエクスポートできません\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "グループの上書きをエクスポートできません\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "既存のバックアップを上書き"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "ユーザーの上書きをインポートできません\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "グループの上書きをインポートできません\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "実行中でない場合、SSSD を開始します"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "データのインポートの後、SSSD を再起動します"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "クリーンなキャッシュファイルを作成し、ローカルデータをインポートします"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "キャッシュを削除する前に SSSD を停止します"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "キャッシュの削除後に SSSD を開始します"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "ローカルデータのバックアップを作成中...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 "ローカルデータのバックアップの作成ができません。キャッシュを削除できませ"
 "ん。\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "キャッシュファイルの削除中...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "キャッシュファイルを削除できません\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "ローカルデータの復元中...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA ドメイン"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID の属性"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "認証プロバイダー"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "削除後コマンドの実行に失敗しました: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 "プライマリーまたは信頼されたドメインタイプを含むドメインリストを表示します"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "システムバスに接続できません。\n"
@@ -2652,118 +2725,109 @@ msgstr "見つかったサーバーに関する一覧を表示"
 msgid "Specify domain name."
 msgstr "ドメイン名を指定します。"
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "メモリーの空き容量がありません。\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "オンライン状態を取得できません\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "サーバー一覧を取得できません\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD はすでに実行中です\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "切り捨てる代わりにログファイルを削除します"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "ログファイルを削除中...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "ログファイルを削除できません\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "ログファイルを切り捨てます...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "ログファイルの切り捨てができません\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "ログファイルを %s へアーカイブ中...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "ログファイルのアーカイブができません\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA ドメイン"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "認可された PAM サービスを一覧化する属性"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "設定したいデバッグレベルを指定します"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "エラー: Tevent chain ID サポートがなく、ログアナライザーはサポートされませ"
@@ -2870,7 +2934,7 @@ msgstr "[%s] での InfoPipe ユーザーの検索に失敗しました。\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start に失敗しました: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2878,12 +2942,12 @@ msgstr ""
 "pam_authenticate のテスト中\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item に失敗しました: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2892,7 +2956,7 @@ msgstr ""
 "ユーザー [%s] 向けの pam_authenticate: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -2900,7 +2964,7 @@ msgstr ""
 "pam_chauthtok のテスト中\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -2909,7 +2973,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -2917,7 +2981,7 @@ msgstr ""
 "pam_acct_mgmt のテスト中\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -2926,7 +2990,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -2934,7 +2998,7 @@ msgstr ""
 "pam_setcred のテスト中\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -2943,7 +3007,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -2951,7 +3015,7 @@ msgstr ""
 "pam_open_session のテスト中\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -2960,7 +3024,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -2968,7 +3032,7 @@ msgstr ""
 "pam_close_session のテスト中\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -2977,15 +3041,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "不明なアクション\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "PAM 環境:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - no env -\n"
 
@@ -3364,9 +3428,6 @@ msgstr "レスポンダーが dbus でアクティベートされたと知らせ
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "ユーザーがログインしていたかを確認中にエラーが発生しました\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "削除後コマンドの実行に失敗しました: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr ""
 #~ "ホームディレクトリーを削除していません - ユーザーにより所有されていませ"
diff --git a/po/ka.po b/po/ka.po
index 2a584bbef35..055056805a2 100644
--- a/po/ka.po
+++ b/po/ka.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-07-27 10:19+0000\n"
 "Last-Translator: Temuri Doghonadze <temuri.doghonadze@gmail.com>\n"
 "Language-Team: Georgian <https://translate.fedoraproject.org/projects/sssd/"
@@ -2325,19 +2325,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2397,81 +2397,152 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "მარქაფის საქაღალდის შექმნის შეცდომა [%d]:%s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr "დომენი"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID ატრიბუტი"
+
+#: src/tools/sssctl/sssctl_data.c:482
+msgid "Action not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2530,115 +2601,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "არასაკმარისი მეხსიერება!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr "დომენი"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2737,98 +2800,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "უცნობი ქმედება\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/ko.po b/po/ko.po
index d58ac30b004..0a149c8b20e 100644
--- a/po/ko.po
+++ b/po/ko.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-09-23 11:19+0000\n"
 "Last-Translator: 김인수 <simmon@nplob.com>\n"
 "Language-Team: Korean <https://translate.fedoraproject.org/projects/sssd/"
@@ -2401,19 +2401,19 @@ msgstr "이름을 지정합니다."
 msgid "Unable to parse name %s.\n"
 msgstr "%s 이름을 구문 분석할 수 없습니다.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "SID로 검색"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "사용자 ID로 검색"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Initgroups 만료 시간"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "그룹 ID로 검색"
 
@@ -2477,81 +2477,153 @@ msgstr "구성 병합 중에 생성된 메시지: %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "사용된 구성 스니펫 파일: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "백업 디렉토리를 만들 수 없습니다 [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "로컬 데이터의 SSSD 백업이 이미 존재합니다. 덮어쓰시겠습니까?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "사용자 덮어쓰기를 내보낼 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "그룹 덮어쓰기를 내보낼 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "기존 백업 덮어쓰기"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "사용자 덮어쓰기를 가져올 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "그룹 덮어쓰기를 가져올 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "SSSD가 실행 중이 아닌 경우 시작"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "데이터 가져 오기 후 SSSD 재시작"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "정리된 캐시 파일을 만들고 로컬 데이터 가져 오기"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "캐시를 제거하기 전에 SSSD 중지"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "캐시가 제거되면 SSSD 시작"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "로컬 데이터의 백업 생성 중...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr "로컬 데이터의 백업을 생성 할 수 없으며, 캐쉬를 제거 할 수 없습니다.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "캐시 파일 제거 중...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "캐쉬 파일을 제거 할 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "로컬 데이터 복원 중...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr "대상 지정 도메인"
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr "도메인"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID 속성"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "인증 공급자"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "pam_get_item에 실패: %s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr "메인 또는 신뢰할 수 있는 도메인 유형을 포함한 도메인 목록 표시"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "시스템 버스에 연결할 수 없습니다!\n"
@@ -2610,115 +2682,107 @@ msgstr "검색된 서버 목록 표시"
 msgid "Specify domain name."
 msgstr "도메인 이름을 지정합니다."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "메모리 부족!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "온라인 상태를 얻는 데 실패\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "서버 목록을 가져올 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr "SSSD가 실행 중이 아닙니다.\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr "%1$-25s %2$#.4x\n"
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr "%1$-25s 알려지지 않은 도메인\n"
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr "%1$-25s 접근 할 수 없는 서비스\n"
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "자르는 대신 로그 파일 삭제"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "로그 파일 삭제 중...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "로그 파일을 제거 할 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "로그 파일 자르는 중...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "로그 파일을 자를 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "%s에 로그 파일 보관 중...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "로그 파일을 보관할 수 없습니다\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr "대상 지정 도메인"
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr "도메인"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr "대상 SSSD 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr "대상 NSS 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr "대상 PAM 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr "대상 SUDO 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr "대상 AUTOFS 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr "대상 SSH 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr "대상 PAC 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr "대상 IFP 서비스"
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "설정할 디버그 수준 지정"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "오류: T이벤트 체인 ID 지원이 누락되었으며, 로그 분석이 지원되지 않습니다.\n"
@@ -2824,7 +2888,7 @@ msgstr "[%s]을(를) 사용한 InfoPipe 사용자 검색에 실패했습니다.\
 msgid "pam_start failed: %s\n"
 msgstr "pam_start에 실패: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2832,12 +2896,12 @@ msgstr ""
 "pam_authenticate 테스트\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item에 실패: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2846,7 +2910,7 @@ msgstr ""
 "[%s] 사용자에 대한 pam_authenticate: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -2854,7 +2918,7 @@ msgstr ""
 "pam_chauthtok 테스트\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -2863,7 +2927,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -2871,7 +2935,7 @@ msgstr ""
 "pam_acct_mgmt 테스트\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -2880,7 +2944,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -2888,7 +2952,7 @@ msgstr ""
 "pam_setcred 테스트\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -2897,7 +2961,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -2905,7 +2969,7 @@ msgstr ""
 "pam_open_session 테스트\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -2914,7 +2978,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -2922,7 +2986,7 @@ msgstr ""
 "pam_close_session 테스트\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -2931,15 +2995,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "알 수 없는 동작\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "PAM 환경:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - no env -\n"
 
diff --git a/po/nb.po b/po/nb.po
index 154e2e7a155..d51ec724ddf 100644
--- a/po/nb.po
+++ b/po/nb.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:46-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Norwegian Bokmål (http://www.transifex.com/projects/p/sssd/"
@@ -2327,19 +2327,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2399,81 +2399,153 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA-domene"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "attribute"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Autentiseringstilbyder"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2532,116 +2604,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA-domene"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2740,98 +2803,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/nl.po b/po/nl.po
index 3a7a148f061..72c9cbed14d 100644
--- a/po/nl.po
+++ b/po/nl.po
@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:47-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/"
@@ -2409,19 +2409,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2481,81 +2481,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA-domein"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID-attribuut"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Authentiecatieaanbieder"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "Het post-verwijder commando mislukte: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2614,118 +2687,109 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD wordt niet door root gestart."
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA-domein"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "Attribuut voor tonen van geautoriseerde PAM services"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2824,98 +2888,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
@@ -3186,9 +3250,6 @@ msgstr ""
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Fout bij het controleren of de gebruiker was ingelogd\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "Het post-verwijder commando mislukte: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr ""
 #~ "De gebruikersmap wordt niet verwijderd - de gebruiker is geen eigenaar\n"
diff --git a/po/pl.po b/po/pl.po
index 1ab5a93bbbf..3bde2b5f5ea 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-07-09 09:17+0000\n"
 "Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
 "Language-Team: Polish <https://translate.fedoraproject.org/projects/sssd/"
@@ -2500,19 +2500,19 @@ msgstr "Należy podać nazwę."
 msgid "Unable to parse name %s.\n"
 msgstr "Nie można przetworzyć nazwy %s.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "Wyszukuje według SID"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Wyszukuje według identyfikatorów użytkowników"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Czas wygaśnięcia grup inicjacji"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Wyszukuje według identyfikatorów grup"
 
@@ -2580,83 +2580,155 @@ msgstr "Komunikaty utworzone podczas łączenia konfiguracji: %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Użyte pliki wstawek konfiguracji: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Nie można utworzyć katalogu kopii zapasowej [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "Kopia zapasowa SSSD lokalnych danych już istnieje, zastąpić?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Nie można wyeksportować zastąpień użytkownika\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Nie można wyeksportować zastąpień grupy\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Zastępuje istniejącą kopię zapasową"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Nie można zaimportować zastąpień użytkownika\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Nie można zaimportować zastąpień grupy\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Uruchamia usługę SSSD, jeśli nie jest uruchomiona"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Ponownie uruchamia usługę SSSD po imporcie danych"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Tworzy czyste pliki pamięci podręcznej i importuje lokalne dane"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Zatrzymuje usługę SSSD przed usunięciem pamięci podręcznej"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Uruchamia usługę SSSD po usunięciu pamięci podręcznej"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Tworzenie kopii zapasowej lokalnych danych…\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 "Nie można utworzyć kopii zapasowej lokalnych danych, nie można usunąć "
 "pamięci podręcznej.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Usuwanie plików pamięci podręcznej…\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Nie można usunąć plików pamięci podręcznej\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Przywracanie lokalnych danych…\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr "Działa na podanej domenie"
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr "domena"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Atrybut UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Dostawca uwierzytelniania"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "Polecenie po usunięciu nie powiodło się: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr "Wyświetla listę domen, w tym główny i zaufany typ domeny"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "Nie można połączyć się z magistralą systemową.\n"
@@ -2715,115 +2787,107 @@ msgstr "Wyświetla listę wykrytych serwerów"
 msgid "Specify domain name."
 msgstr "Należy podać nazwę domeny."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Brak pamięci.\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Nie można uzyskać stanu online\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Nie można uzyskać listy serwerów\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr "Usługa SSSD nie jest uruchomiona.\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr "%1$-25s %2$#.4x\n"
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr "%1$-25s Nieznana domena\n"
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr "%1$-25s Nie można połączyć się z usługą\n"
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Usuwa pliki dziennika zamiast ich skracania"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Usuwanie plików dziennika…\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Nie można usunąć plików dziennika\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Skracanie plików dziennika…\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Nie można skrócić plików dziennika\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Archiwizowanie plików dziennika w %s…\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Nie można zarchiwizować plików dziennika\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr "Działa na podanej domenie"
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr "domena"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr "Działa na usłudze SSSD"
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr "Działa na usłudze NSS"
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr "Działa na usłudze PAM"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr "Działa na usłudze sudo"
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr "Działa na usłudze Autofs"
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr "Działa na usłudze SSH"
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr "Działa na usłudze PAC"
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr "Działa na usłudze IFP"
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Podaje poziom debugowania do ustawienia"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "BŁĄD: brak obsługi identyfikatora łańcucha tevent, analizator dziennika jest "
@@ -2930,7 +2994,7 @@ msgstr "InfoPipe Wyszukanie użytkownika z [%s] się nie powiodło.\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start się nie powiodło: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2938,12 +3002,12 @@ msgstr ""
 "testowanie pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item się nie powiodło: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2952,7 +3016,7 @@ msgstr ""
 "pam_authenticate dla użytkownika [%s]: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -2960,7 +3024,7 @@ msgstr ""
 "testowanie pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -2969,7 +3033,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -2977,7 +3041,7 @@ msgstr ""
 "testowanie pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -2986,7 +3050,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -2994,7 +3058,7 @@ msgstr ""
 "testowanie pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -3003,7 +3067,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -3011,7 +3075,7 @@ msgstr ""
 "testowanie pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -3020,7 +3084,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -3028,7 +3092,7 @@ msgstr ""
 "testowanie pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3037,15 +3101,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "nieznane działanie\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "Środowisko PAM:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " — brak środowiska —\n"
 
@@ -3428,9 +3492,6 @@ msgstr "Informuje, że program odpowiadający został aktywowany magistralą D-B
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Błąd podczas sprawdzania, czy użytkownik był zalogowany\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "Polecenie po usunięciu nie powiodło się: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr ""
 #~ "Katalog domowy nie zostanie usunięty — użytkownik nie jest właścicielem\n"
diff --git a/po/pt.po b/po/pt.po
index 7fd0e70be9f..6f47f94bfbe 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:47-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/"
@@ -2340,19 +2340,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2412,81 +2412,154 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "Domínio IPA"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Atributo UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Fornecedor de autenticação"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2545,116 +2618,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "Domínio IPA"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2753,98 +2817,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/pt_BR.po b/po/pt_BR.po
index 68b98cb33b0..b29b185db09 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -3,7 +3,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2015-10-27 08:15-0400\n"
 "Last-Translator: Marco Aurélio Krause <ouesten@me.com>\n"
 "Language-Team: Portuguese (Brazil)\n"
@@ -2321,19 +2321,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2393,81 +2393,151 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "attribute"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:482
+msgid "Action not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2526,115 +2596,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2733,98 +2795,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/ru.po b/po/ru.po
index 4b1c3a6b665..158e67645c3 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-07-12 12:18+0000\n"
 "Last-Translator: Elena Mishina <lepata@basealt.ru>\n"
 "Language-Team: Russian <https://translate.fedoraproject.org/projects/sssd/"
@@ -21,8 +21,8 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
-"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
+"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
+"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
 "X-Generator: Weblate 4.13\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
@@ -2544,19 +2544,19 @@ msgstr "Укажите имя."
 msgid "Unable to parse name %s.\n"
 msgstr "Не удалось разобрать имя %s.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "Поиск по SID"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Поиск по ID пользователя"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Время истечения срока действия групп инициализации"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Поиск по ID группы"
 
@@ -2624,83 +2624,156 @@ msgstr "Сообщения, созданные при объединении к
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Использованных файлов фрагментов конфигурации: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Не удалось создать резервный каталог [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "Резервная копия локальных данных SSSD уже существует. Перезаписать?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Не удалось экспортировать переопределения пользователей\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Не удалось экспортировать переопределения групп\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Переопределить существующую резервную копию"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Не удалось импортировать переопределения пользователей\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Не удалось импортировать переопределения групп\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Запустить SSSD, если запуск не был выполнен"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Перезапустить SSSD после импорта данных"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Создать пустые файлы кэша и импортировать локальные данные"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Остановить SSSD перед удалением кэша"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Запустить SSSD после удаления кэша"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Создание резервной копии локальных данных...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 "Не удалось создать резервную копию локальных данных, невозможно удалить "
 "кэш.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Удаление файлов кэша...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Не удалось удалить файлы кэша\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Восстановление локальных данных...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr "Направить на определенный домен"
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr "домен"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Атрибут UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Поставщик данных для проверки подлинности"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+"Ошибка команды, которую следовало выполнить после удаления записи: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr "Показать список доменов, включая основные и доверенные"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "Не удалось подключиться к системной шине!\n"
@@ -2759,115 +2832,107 @@ msgstr "Показать список обнаруженных серверов"
 msgid "Specify domain name."
 msgstr "Укажите имя домена."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Недостаточно памяти!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Не удалось получить состояние подключения\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Не удалось получить список серверов\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr "SSSD не запущен.\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr "%1$-25s %2$#.4x\n"
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr "%1$-25s Неизвестный домен\n"
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr "%1$-25s Недоступная служба\n"
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Удалить файлы журнала вместо усечения"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Удаление файлов журнала...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Не удалось удалить файлы журнала\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Усечение файлов журнала...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Не удалось усечь файлы журнала\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Архивация файлов журнала в %s...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Не удалось архивировать файлы журнала\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr "Направить на определенный домен"
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr "домен"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr "Направить на службу SSSD"
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr "Направить на службу NSS"
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr "Направить на службу PAM"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr "Направить на службу SUDO"
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr "Направить на службу AUTOFS"
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr "Направить на службу SSH"
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr "Направить на службу PAC"
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr "Направить на службу IFP"
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Укажите уровень отладки, который следует установить"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "ОШИБКА: Отсутствует поддержка идентификатора цепочки Tevent, анализатор "
@@ -2974,7 +3039,7 @@ msgstr "Не удалось найти пользователя InfoPipe с по
 msgid "pam_start failed: %s\n"
 msgstr "Ошибка pam_start: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2982,12 +3047,12 @@ msgstr ""
 "проверка pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "Ошибка pam_get_item: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2996,7 +3061,7 @@ msgstr ""
 "pam_authenticate для пользователя [%s]: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -3004,7 +3069,7 @@ msgstr ""
 "проверка pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -3013,7 +3078,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -3021,7 +3086,7 @@ msgstr ""
 "проверка pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -3030,7 +3095,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -3038,7 +3103,7 @@ msgstr ""
 "проверка pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -3047,7 +3112,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -3055,7 +3120,7 @@ msgstr ""
 "проверка pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -3064,7 +3129,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -3072,7 +3137,7 @@ msgstr ""
 "проверка pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3081,15 +3146,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "неизвестное действие\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "Среда PAM:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - нет среды -\n"
 
@@ -3458,10 +3523,6 @@ msgstr "Сообщает о том, что ответчик активирова
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Ошибка при проверке факта входа пользователя в систему\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr ""
-#~ "Ошибка команды, которую следовало выполнить после удаления записи: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr ""
 #~ "Домашний каталог не удалён — пользователь не является его владельцем\n"
diff --git a/po/sssd.pot b/po/sssd.pot
index b6f5f977443..7641ddf05ae 100644
--- a/po/sssd.pot
+++ b/po/sssd.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -2324,19 +2324,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2396,81 +2396,151 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "attribute"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:482
+msgid "Action not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2529,115 +2599,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2736,98 +2798,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/sv.po b/po/sv.po
index 369497b1b77..4164e9e1c6e 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-07-30 09:19+0000\n"
 "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
 "Language-Team: Swedish <https://translate.fedoraproject.org/projects/sssd/"
@@ -2470,19 +2470,19 @@ msgstr "Ange namn."
 msgid "Unable to parse name %s.\n"
 msgstr "Kan inte tolka namnet %s.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "Sök via SID"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Sök via användar-ID"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Init-gruppers utgångstid"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Sök via grupp-ID"
 
@@ -2550,82 +2550,154 @@ msgstr "Meddelanden genererade under sammanslagning av konfigurationen: %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Använd konfigurationssnuttfiler: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Kan inte skapa en katalog för säkerhetskopia [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "En SSSD-säkerhetskopia av lokala data finns redan, åsidosätt?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Kan inte exportera användaråsidosättanden\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Kan inte exportera gruppåsidosättanden\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Åsidosätt befintlig säkerhetskopia"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Kan inte importera användaråsidosättanden\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Kan inte importera gruppåsidosättanden\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Starta SSSD om den inte kör"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Starta om SSSD efter import av data"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Skapa rena cachefiler och importera lokala data"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Stoppa SSSD före cachen tas bort"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Starta SSSD när cachen är borttagen"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Skapa säkerhetskopia av lokala data …\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 "Kan inte skapa säkerhetskopia av lokala data, kan inte ta bort cachen.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Tar bort cache-filer …\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Kan inte ta bort cache-filer\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Återställer lokala data …\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr "Sikta på en specifik domän"
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr "domän"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID-attribut"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Autentiseringsleverantör"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "Kommandot efter borttagandet misslyckades: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr "Visa domänlistan inklusive primär eller betrodd domäntyp"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "Det går inte att ansluta till systembussen!\n"
@@ -2684,115 +2756,107 @@ msgstr "Visa lista över upptäckta servrar"
 msgid "Specify domain name."
 msgstr "Ange domännamn."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Slut på minne!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Kan inte ta reda på uppkopplingsstatus\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Kan inte ta reda på serverlistan\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr "SSSD kör inte.\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr "%1$-25s %2$#.4x\n"
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr "%1$-25s Okänd domän\n"
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr "%1$-25s Onåbar tjänst\n"
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Radera loggfiler istället för att hugga av"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Raderar loggfiler …\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Kan inte ta bort loggfiler\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Hugger av loggfiler …\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Kan inte hugga av loggfiler\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Arkiverar loggfiler in i %s …\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Kan inte arkivera loggfiler\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr "Sikta på en specifik domän"
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr "domän"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr "Sikta på SSSD-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr "Sikta på NSS-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr "Sikta på PAM-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr "Sikta på SUDO-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr "Sikta på AUTOFS-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr "Sikta på SSH-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr "Sikta på PAC-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr "Sikta på IFP-tjänsten"
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Ange felsökningsnivå du vill sätta"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr "FEL: stöd för tevent-kedje-ID saknas, logganalysatorn stödjs inte.\n"
 
@@ -2897,7 +2961,7 @@ msgstr "InfoPipe-användaruppslagning med [%s] misslyckades.\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start misslyckades: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2905,12 +2969,12 @@ msgstr ""
 "testar pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item misslyckades: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2919,7 +2983,7 @@ msgstr ""
 "pam_authenticate för användaren [%s]: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -2927,7 +2991,7 @@ msgstr ""
 "testar pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -2936,7 +3000,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -2944,7 +3008,7 @@ msgstr ""
 "testar pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -2953,7 +3017,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -2961,7 +3025,7 @@ msgstr ""
 "testar pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -2970,7 +3034,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -2978,7 +3042,7 @@ msgstr ""
 "testar pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -2987,7 +3051,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -2995,7 +3059,7 @@ msgstr ""
 "testar pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3004,15 +3068,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "okänd åtgärd\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "PAM-miljö:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - ingen miljö -\n"
 
@@ -3378,9 +3442,6 @@ msgstr "Informerar att respondenten har blivit dbus-aktiverad"
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Fel vid kontroll om användaren var inloggad\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "Kommandot efter borttagandet misslyckades: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr "Tar inte bort hemkatalogen - ägs inte av användaren\n"
 
diff --git a/po/tg.po b/po/tg.po
index ef0784b8d49..c50de348195 100644
--- a/po/tg.po
+++ b/po/tg.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:48-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/"
@@ -2326,19 +2326,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2398,81 +2398,152 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Аттрибути GID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+msgid "Action not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2531,115 +2602,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2738,98 +2801,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/po/tr.po b/po/tr.po
index 4e3987cd54c..5a8f401b54e 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-07-22 07:19+0000\n"
 "Last-Translator: Kemal Oktay Aktoğan <oktay@e.email>\n"
 "Language-Team: Turkish <https://translate.fedoraproject.org/projects/sssd/"
@@ -2515,19 +2515,19 @@ msgstr "Adı belirtin."
 msgid "Unable to parse name %s.\n"
 msgstr "%s adı ayrıştırılamıyor.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "SID'ye göre ara"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Kullanıcı kimliğine göre ara"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Başlangıç grupları sona erme süresi"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Grup kimliğine göre ara"
 
@@ -2595,83 +2595,155 @@ msgstr "Yapılandırma birleştirme sırasında oluşturulan iletiler: %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Kullanılan yapılandırma parçacığı dosyaları: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Yedekleme dizini oluşturulamıyor [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "Yerel verilerin SSSD yedeği zaten var, geçersiz kılınsın mı?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Kullanıcı geçersiz kılmaları dışa aktarılamıyor\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Grup geçersiz kılmaları dışa aktarılamıyor\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Mevcut yedeklemeyi geçersiz kıl"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Kullanıcı geçersiz kılmaları içe aktarılamıyor\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Grup geçersiz kılmaları içe aktarılamıyor\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Çalışmıyorsa SSSD'yi başlatın"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Verileri içe aktardıktan sonra SSSD'yi yeniden başlatın"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Temiz önbellek dosyaları oluşturun ve yerel verileri içe aktarın"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Önbelleği kaldırmadan önce SSSD'yi durdurun"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Önbellek kaldırıldığında SSSD'yi başlatın"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Yerel verilerin yedeği oluşturuluyor...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr "Yerel verilerin yedeği oluşturulamıyor, önbellek kaldırılamıyor.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Önbellek dosyaları kaldırılıyor...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Önbellek dosyaları kaldırılamıyor\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Yerel veriler geri yükleniyor...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr "Belirli bir etki alanı hedefleyin"
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr "etki alanı"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID özniteliği"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Kimlik doğrulama sağlayıcısı"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "pam_get_item başarısız oldu: %s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 "Birincil veya güvenilen etki alanı türü de dahil olmak üzere etki alanı "
 "listesini göster"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "Sistem veriyoluna bağlanılamıyor!\n"
@@ -2730,115 +2802,107 @@ msgstr "Keşfedilen sunucuların listesini göster"
 msgid "Specify domain name."
 msgstr "Etki alanı adını belirtin."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Yetersiz bellek!\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Çevrimiçi durum alınamıyor\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Sunucu listesi alınamıyor\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr "SSSD çalışmıyor.\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr "%1$-25s %2$#.4x\n"
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr "%1$-25s Bilinmeyen etki alanı\n"
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr "%1$-25s Erişilemeyen hizmet\n"
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Kesmek yerine günlük dosyalarını silin"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Günlük dosyaları siliniyor...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Günlük dosyaları kaldırılamıyor\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Günlük dosyaları kesiliyor...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Günlük dosyaları kesilemiyor\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Günlük dosyaları %s içine arşivleniyor...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Günlük dosyaları arşivlenemiyor\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr "Belirli bir etki alanı hedefleyin"
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr "etki alanı"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr "SSSD hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr "NSS hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr "PAM hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr "SUDO hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr "AUTOFS hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr "SSH hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr "PAC hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr "IFP hizmetini hedefleyin"
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Ayarlamak istediğiniz hata ayıklama düzeyini belirtin"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "HATA: Olay zinciri kimliği desteği eksik, günlük çözümleyicisi "
@@ -2945,7 +3009,7 @@ msgstr "[%s] ile InfoPipe Kullanıcı araması başarısız oldu.\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start başarısız oldu: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2953,12 +3017,12 @@ msgstr ""
 "pam_authenticate deneniyor\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item başarısız oldu: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2967,7 +3031,7 @@ msgstr ""
 "[%s] kullanıcısı için pam_authenticate: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -2975,7 +3039,7 @@ msgstr ""
 "pam_chauthtok deneniyor\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -2984,7 +3048,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -2992,7 +3056,7 @@ msgstr ""
 "pam_acct_mgmt deneniyor\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -3001,7 +3065,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -3009,7 +3073,7 @@ msgstr ""
 "pam_setcred deneniyor\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -3018,7 +3082,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -3026,7 +3090,7 @@ msgstr ""
 "pam_open_session deneniyor\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -3035,7 +3099,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -3043,7 +3107,7 @@ msgstr ""
 "pam_close_session deneniyor\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3052,15 +3116,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "bilinmeyen eylem\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "PAM Ortamı:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - ortam yok -\n"
 
diff --git a/po/uk.po b/po/uk.po
index bbed399a459..52fe2613bb4 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-07-08 09:19+0000\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/sssd/"
@@ -24,8 +24,8 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
-"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
+"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
+"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
 "X-Generator: Weblate 4.13\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
@@ -2564,19 +2564,19 @@ msgstr "Вказати ім'я."
 msgid "Unable to parse name %s.\n"
 msgstr "Не вдалося обробити ім'я %s.\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "Шукати за SID"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "Шукати за ідентифікатором користувача"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Час завершення строку дії груп ініціалізації"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "Шукати за ідентифікатором групи"
 
@@ -2644,85 +2644,157 @@ msgstr "Повідомлення, створені під час об'єднув
 msgid "Used configuration snippet files: %zu\n"
 msgstr "Використаних файлів фрагментів налаштувань: %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "Не вдалося створити каталог резервної копії [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 "Резервна копія SSSD для локальних даних вже існує. Хочете її перезаписати?"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "Не вдалося експортувати перевизначення користувача\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "Не вдалося експортувати перевизначення групи\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "Перевизначити наявну резервну копію"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "Не вдалося імпортувати перевизначення користувача\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "Не вдалося імпортувати перевизначення групи\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "Запустити SSSD, якщо його ще не запущено"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "Перезапустити SSSD після імпортування даних"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "Створити порожні файли кешу і імпортувати локальні дані"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "Зупинка SSSD до вилучення кешу"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "Запуск SSSD після вилучення кешу"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "Створюємо резервну копію локальних даних...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 "Не вдалося створити резервну копію локальних даних, не вдалося вилучити "
 "кеш.\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "Вилучаємо файли кешу...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "Не вдалося вилучити файли кешу\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "Відновлюємо локальні дані...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr "Спрямувати на вказаний домен"
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "domain"
+msgstr "домен"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "Атрибут UID"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "Служба розпізнавання"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "Помилка команди, яку слід було виконати після вилучення запису: %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 "Показати список доменів з включенням основних або довірених типів доменів"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2782,115 +2854,107 @@ msgstr "Показати список виявлених серверів"
 msgid "Specify domain name."
 msgstr "Вказати назву домену."
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "Не вистачає пам'яті\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "Не вдалося отримати стан з'єднання\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "Не вдалося отримати список серверів\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr "SSSD не запущено.\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr "%1$-25s %2$#.4x\n"
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr "%1$-25s Невідомий домен\n"
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr "%1$-25s Недоступна служба\n"
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "Вилучити файли журналу замість обрізання"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "Вилучаємо файли журналу...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "Не вдалося вилучити файли журналу\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "Обрізаємо файли журналу...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "Не вдалося обрізати файли журналу\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "Архівуємо файли журналу до %s...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "Не вдалося архівувати файли журналу\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr "Спрямувати на вказаний домен"
-
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "domain"
-msgstr "домен"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr "Ціль — пристрій SSSD"
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr "Ціль — служба NSS"
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr "Ціль — служба PAM"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr "Ціль — служба SUDO"
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr "Ціль — служба AUTOFS"
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr "Ціль — служба SSH"
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr "Ціль — служба PAC"
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr "Ціль — служба IFP"
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "Вкажіть рівень діагностики, яким ви хочете скористатися"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 "Помилка: немає підтримки ідентифікатора ланцюжка Tevent, можливість аналізу "
@@ -2997,7 +3061,7 @@ msgstr "Не вдалося знайти користувача InfoPipe за д
 msgid "pam_start failed: %s\n"
 msgstr "Помилка pam_start: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -3005,12 +3069,12 @@ msgstr ""
 "перевіряємо pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "Помилка pam_get_item: %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -3019,7 +3083,7 @@ msgstr ""
 "pam_authenticate для користувача [%s]: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -3027,7 +3091,7 @@ msgstr ""
 "перевіряємо pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -3036,7 +3100,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -3044,7 +3108,7 @@ msgstr ""
 "перевіряємо pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -3053,7 +3117,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -3061,7 +3125,7 @@ msgstr ""
 "перевіряємо pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -3070,7 +3134,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -3078,7 +3142,7 @@ msgstr ""
 "перевіряємо pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -3087,7 +3151,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -3095,7 +3159,7 @@ msgstr ""
 "перевіряємо pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -3104,15 +3168,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "невідома дія\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "Середовище PAM:\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " - немає середовища -\n"
 
@@ -3509,10 +3573,6 @@ msgstr "Інформує про те, що на відповідачі заді
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "Помилка під час перевірки входу користувача до системи\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr ""
-#~ "Помилка команди, яку слід було виконати після вилучення запису: %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr "Домашній каталог не буде вилучено. Він не належить користувачеві.\n"
 
diff --git a/po/zh_CN.po b/po/zh_CN.po
index 634fcdc4f4c..e7db593fdd5 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2022-06-24 20:18+0000\n"
 "Last-Translator: Transtats <suanand@redhat.com>\n"
 "Language-Team: Chinese (Simplified) <https://translate.fedoraproject.org/"
@@ -2374,19 +2374,19 @@ msgstr "指定名称。"
 msgid "Unable to parse name %s.\n"
 msgstr "无法解析名称 %s 。\n"
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr "使用 SID 搜索"
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr "使用用户 ID 搜索"
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr "Initgroups 过期时间"
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr "使用组 ID 搜索"
 
@@ -2448,81 +2448,154 @@ msgstr "配置合并期间生成的消息： %zu\n"
 msgid "Used configuration snippet files: %zu\n"
 msgstr "所使用的配置摘要文件： %zu\n"
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr "无法创建备份目录 [%d]: %s"
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr "SSSD 本地数据备份已经存在，可以覆盖吗？"
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr "无法导出用户覆盖\n"
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr "无法导出组覆盖\n"
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr "覆盖现有的备份"
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr "无法导入用户覆盖\n"
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr "无法导入组覆盖\n"
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr "如果未运行，启动 SSSD"
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr "数据导入后重新启动 SSSD"
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr "创建干净的缓存文件并导入本地数据"
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr "在删除缓存之前停止 SSSD"
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr "删除缓存后启动 SSSD"
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr "正在创建本地数据备份...\n"
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr "无法创建本地数据备份，无法删除缓存。\n"
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr "删除缓存文件...\n"
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr "无法删除缓存文件\n"
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr "恢复本地数据...\n"
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA 域"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+#, fuzzy
+msgid "attribute"
+msgstr "UID 属性"
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "身份验证提供者"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, fuzzy, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr "后删除命令失败： %1$s\n"
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr "显示域列表，包括主要或受信任的域类型"
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr "无法连接到系统总线!\n"
@@ -2581,118 +2654,109 @@ msgstr "显示发现的服务器列表"
 msgid "Specify domain name."
 msgstr "指定域名。"
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr "无可用的内存！\n"
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr "无法获得在线状态\n"
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr "无法获取服务器列表\n"
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr "\n"
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 #, fuzzy
 msgid "SSSD is not running.\n"
 msgstr "SSSD 已运行\n"
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr "删除日志文件而不是截断"
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr "删除日志文件...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr "无法删除日志文件\n"
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr "截断日志文件...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr "无法截断日志文件\n"
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr "将日志文件归档到 %s ...\n"
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr "无法归档日志文件\n"
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA 域"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 #, fuzzy
 msgid "Target the PAM service"
 msgstr "列出授权的 PAM 服务的属性"
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr "指定要设置的调试级别"
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr "ERROR：缺少 Tevent 链 ID 支持，不支持日志分析器。\n"
 
@@ -2797,7 +2861,7 @@ msgstr "使用 [%s] 进行 InfoPipe 用户查找失败。\n"
 msgid "pam_start failed: %s\n"
 msgstr "pam_start 失败： %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
@@ -2805,12 +2869,12 @@ msgstr ""
 "测试 pam_authenticate\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr "pam_get_item 失败： %s\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
@@ -2819,7 +2883,7 @@ msgstr ""
 "pam_authenticate 用户 [%s]: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
@@ -2827,7 +2891,7 @@ msgstr ""
 "测试 pam_chauthtok\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
@@ -2836,7 +2900,7 @@ msgstr ""
 "pam_chauthtok: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
@@ -2844,7 +2908,7 @@ msgstr ""
 "测试 pam_acct_mgmt\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
@@ -2853,7 +2917,7 @@ msgstr ""
 "pam_acct_mgmt: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
@@ -2861,7 +2925,7 @@ msgstr ""
 "测试 pam_setcred\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
@@ -2870,7 +2934,7 @@ msgstr ""
 "pam_setcred: [%s]\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
@@ -2878,7 +2942,7 @@ msgstr ""
 "测试 pam_open_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
@@ -2887,7 +2951,7 @@ msgstr ""
 "pam_open_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
@@ -2895,7 +2959,7 @@ msgstr ""
 "测试 pam_close_session\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
@@ -2904,15 +2968,15 @@ msgstr ""
 "pam_close_session: %s\n"
 "\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr "未知操作\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr "PAM 环境：\n"
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr " -没有环境-\n"
 
@@ -3255,9 +3319,6 @@ msgstr "通知响应者已被 dbus 激活"
 #~ msgid "Error while checking if the user was logged in\n"
 #~ msgstr "检查用户是否登录时出错\n"
 
-#~ msgid "The post-delete command failed: %1$s\n"
-#~ msgstr "后删除命令失败： %1$s\n"
-
 #~ msgid "Not removing home dir - not owned by user\n"
 #~ msgstr "没有删除主目录 - 不归用户所有\n"
 
diff --git a/po/zh_TW.po b/po/zh_TW.po
index e4dd7d1f11d..abcbc1123a0 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
-"POT-Creation-Date: 2022-08-26 21:53+0200\n"
+"POT-Creation-Date: 2022-10-07 12:50+0200\n"
 "PO-Revision-Date: 2014-12-14 11:50-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/sssd/"
@@ -2328,19 +2328,19 @@ msgstr ""
 msgid "Unable to parse name %s.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649
+#: src/tools/sssctl/sssctl_cache.c:605 src/tools/sssctl/sssctl_cache.c:652
 msgid "Search by SID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:603
+#: src/tools/sssctl/sssctl_cache.c:606
 msgid "Search by user ID"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:612
+#: src/tools/sssctl/sssctl_cache.c:615
 msgid "Initgroups expiration time"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_cache.c:650
+#: src/tools/sssctl/sssctl_cache.c:653
 msgid "Search by group ID"
 msgstr ""
 
@@ -2400,81 +2400,153 @@ msgstr ""
 msgid "Used configuration snippet files: %zu\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:88
+#: src/tools/sssctl/sssctl_data.c:91
 #, c-format
 msgid "Unable to create backup directory [%d]: %s"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:94
+#: src/tools/sssctl/sssctl_data.c:97
 msgid "SSSD backup of local data already exists, override?"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:110
+#: src/tools/sssctl/sssctl_data.c:113
 msgid "Unable to export user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:117
+#: src/tools/sssctl/sssctl_data.c:120
 msgid "Unable to export group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:133 src/tools/sssctl/sssctl_data.c:216
+#: src/tools/sssctl/sssctl_data.c:136 src/tools/sssctl/sssctl_data.c:219
 msgid "Override existing backup"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:163
+#: src/tools/sssctl/sssctl_data.c:166
 msgid "Unable to import user overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:172
+#: src/tools/sssctl/sssctl_data.c:175
 msgid "Unable to import group overrides\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:193 src/tools/sssctl/sssctl_domains.c:82
+#: src/tools/sssctl/sssctl_data.c:196 src/tools/sssctl/sssctl_domains.c:82
 #: src/tools/sssctl/sssctl_domains.c:328
 msgid "Start SSSD if it is not running"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:194
+#: src/tools/sssctl/sssctl_data.c:197
 msgid "Restart SSSD after data import"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:217
+#: src/tools/sssctl/sssctl_data.c:220
 msgid "Create clean cache files and import local data"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:218
+#: src/tools/sssctl/sssctl_data.c:221
 msgid "Stop SSSD before removing the cache"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:219
+#: src/tools/sssctl/sssctl_data.c:222
 msgid "Start SSSD when the cache is removed"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:234
+#: src/tools/sssctl/sssctl_data.c:237
 msgid "Creating backup of local data...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:237
+#: src/tools/sssctl/sssctl_data.c:240
 msgid "Unable to create backup of local data, can not remove the cache.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:242
+#: src/tools/sssctl/sssctl_data.c:245
 msgid "Removing cache files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:245
+#: src/tools/sssctl/sssctl_data.c:248
 msgid "Unable to remove cache files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_data.c:250
+#: src/tools/sssctl/sssctl_data.c:253
 msgid "Restoring local data...\n"
 msgstr ""
 
+#: src/tools/sssctl/sssctl_data.c:415
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:417
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:419
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:439
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:467 src/tools/sssctl/sssctl_logs.c:529
+#, fuzzy
+msgid "domain"
+msgstr "IPA 網域"
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:469
+msgid "attribute"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:482
+#, fuzzy
+msgid "Action not provided\n"
+msgstr "認證提供者"
+
+#: src/tools/sssctl/sssctl_data.c:495
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:503
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:511
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:514
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:517
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:522
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
 #: src/tools/sssctl/sssctl_domains.c:83
 msgid "Show domain list including primary or trusted domain type"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367
+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:368
 #: src/tools/sssctl/sssctl_user_checks.c:95
 msgid "Unable to connect to system bus!\n"
 msgstr ""
@@ -2533,116 +2605,107 @@ msgstr ""
 msgid "Specify domain name."
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:355
+#: src/tools/sssctl/sssctl_domains.c:356
 msgid "Out of memory!\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385
+#: src/tools/sssctl/sssctl_domains.c:376 src/tools/sssctl/sssctl_domains.c:386
 msgid "Unable to get online status\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_domains.c:395
+#: src/tools/sssctl/sssctl_domains.c:396
 msgid "Unable to get server list\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:50
+#: src/tools/sssctl/sssctl_logs.c:51
 msgid "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:214
+#: src/tools/sssctl/sssctl_logs.c:215
 msgid "SSSD is not running.\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:231
+#: src/tools/sssctl/sssctl_logs.c:232
 #, c-format
 msgid "%1$-25s %2$#.4x\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:235
+#: src/tools/sssctl/sssctl_logs.c:236
 #, c-format
 msgid "%1$-25s Unknown domain\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:237
+#: src/tools/sssctl/sssctl_logs.c:238
 #, c-format
 msgid "%1$-25s Unreachable service\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:452
+#: src/tools/sssctl/sssctl_logs.c:431
 msgid "Delete log files instead of truncating"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:463
+#: src/tools/sssctl/sssctl_logs.c:442
 msgid "Deleting log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:466
+#: src/tools/sssctl/sssctl_logs.c:445
 msgid "Unable to remove log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:483
+#: src/tools/sssctl/sssctl_logs.c:462
 msgid "Truncating log files...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:487
+#: src/tools/sssctl/sssctl_logs.c:466
 msgid "Unable to truncate log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:522
+#: src/tools/sssctl/sssctl_logs.c:501
 #, c-format
 msgid "Archiving log files into %s...\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:526
+#: src/tools/sssctl/sssctl_logs.c:505
 msgid "Unable to archive log files\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:547
-msgid "Target a specific domain"
-msgstr ""
-
-#: src/tools/sssctl/sssctl_logs.c:547
-#, fuzzy
-msgid "domain"
-msgstr "IPA 網域"
-
-#: src/tools/sssctl/sssctl_logs.c:548
+#: src/tools/sssctl/sssctl_logs.c:530
 msgid "Target the SSSD service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:549
+#: src/tools/sssctl/sssctl_logs.c:531
 msgid "Target the NSS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:550
+#: src/tools/sssctl/sssctl_logs.c:532
 msgid "Target the PAM service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:551
+#: src/tools/sssctl/sssctl_logs.c:533
 msgid "Target the SUDO service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:552
+#: src/tools/sssctl/sssctl_logs.c:534
 msgid "Target the AUTOFS service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:553
+#: src/tools/sssctl/sssctl_logs.c:535
 msgid "Target the SSH service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:554
+#: src/tools/sssctl/sssctl_logs.c:536
 msgid "Target the PAC service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:555
+#: src/tools/sssctl/sssctl_logs.c:537
 msgid "Target the IFP service"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:569
+#: src/tools/sssctl/sssctl_logs.c:552
 msgid "Specify debug level you want to set"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_logs.c:616
+#: src/tools/sssctl/sssctl_logs.c:600
 msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
 msgstr ""
 
@@ -2741,98 +2804,98 @@ msgstr ""
 msgid "pam_start failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:268
+#: src/tools/sssctl/sssctl_user_checks.c:269
 msgid ""
 "testing pam_authenticate\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:272
+#: src/tools/sssctl/sssctl_user_checks.c:273
 #, c-format
 msgid "pam_get_item failed: %s\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:275
+#: src/tools/sssctl/sssctl_user_checks.c:276
 #, c-format
 msgid ""
 "pam_authenticate for user [%s]: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:278
+#: src/tools/sssctl/sssctl_user_checks.c:279
 msgid ""
 "testing pam_chauthtok\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:280
+#: src/tools/sssctl/sssctl_user_checks.c:281
 #, c-format
 msgid ""
 "pam_chauthtok: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:282
+#: src/tools/sssctl/sssctl_user_checks.c:283
 msgid ""
 "testing pam_acct_mgmt\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:284
+#: src/tools/sssctl/sssctl_user_checks.c:285
 #, c-format
 msgid ""
 "pam_acct_mgmt: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:286
+#: src/tools/sssctl/sssctl_user_checks.c:287
 msgid ""
 "testing pam_setcred\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:288
+#: src/tools/sssctl/sssctl_user_checks.c:289
 #, c-format
 msgid ""
 "pam_setcred: [%s]\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:290
+#: src/tools/sssctl/sssctl_user_checks.c:291
 msgid ""
 "testing pam_open_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:292
+#: src/tools/sssctl/sssctl_user_checks.c:293
 #, c-format
 msgid ""
 "pam_open_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:294
+#: src/tools/sssctl/sssctl_user_checks.c:295
 msgid ""
 "testing pam_close_session\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:296
+#: src/tools/sssctl/sssctl_user_checks.c:297
 #, c-format
 msgid ""
 "pam_close_session: %s\n"
 "\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:298
+#: src/tools/sssctl/sssctl_user_checks.c:299
 msgid "unknown action\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:301
+#: src/tools/sssctl/sssctl_user_checks.c:302
 msgid "PAM Environment:\n"
 msgstr ""
 
-#: src/tools/sssctl/sssctl_user_checks.c:309
+#: src/tools/sssctl/sssctl_user_checks.c:310
 msgid " - no env -\n"
 msgstr ""
 
diff --git a/src/man/po/br.po b/src/man/po/br.po
index e0cdff3c754..43befbda9f8 100644
--- a/src/man/po/br.po
+++ b/src/man/po/br.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2014-12-14 11:51-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Breton (http://www.transifex.com/projects/p/sssd/language/"
@@ -206,10 +206,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Dre ziouer : true"
 
@@ -227,12 +227,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr ""
 
@@ -264,8 +264,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -295,7 +295,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -371,8 +371,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Dre ziouer : 3"
 
@@ -393,7 +393,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (neudennad)"
 
@@ -413,12 +413,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -426,39 +426,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -596,11 +596,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -866,8 +866,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1014,7 +1014,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1120,7 +1120,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1489,7 +1489,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1515,8 +1515,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1828,7 +1828,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1841,7 +1841,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1855,7 +1855,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Dre ziouer : 0"
 
@@ -1918,8 +1918,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -1984,9 +1984,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -2001,7 +2001,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2099,48 +2099,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2258,7 +2258,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2292,7 +2292,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2302,7 +2302,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2322,7 +2322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2684,25 +2684,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "re_expression (neudennad)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2710,73 +2721,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2786,66 +2795,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2853,17 +2862,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2871,7 +2880,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2880,60 +2889,60 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "exclude_users (string)"
 msgstr "re_expression (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "filter_users, filter_groups (string)"
 msgid "exclude_groups (string)"
 msgstr "filter_users, filter_groups (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "RANNOÙ DOMANI"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2943,12 +2952,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2957,14 +2966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2973,38 +2982,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3013,24 +3022,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3039,29 +3048,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3075,14 +3084,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3091,39 +3100,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3132,19 +3141,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3155,139 +3164,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3296,17 +3305,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3318,33 +3327,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3352,19 +3361,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3373,17 +3382,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3392,28 +3401,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3421,7 +3430,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3429,8 +3438,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3439,8 +3448,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3448,19 +3457,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3469,7 +3478,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3477,24 +3486,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3506,27 +3515,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3534,7 +3554,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3542,30 +3562,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3573,19 +3593,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3594,7 +3614,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3602,29 +3622,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3632,7 +3652,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3640,35 +3660,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3676,32 +3696,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3712,7 +3732,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3721,12 +3741,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3734,7 +3754,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3742,31 +3762,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3774,7 +3794,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3783,17 +3803,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3801,43 +3821,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3845,7 +3865,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3853,7 +3873,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3861,24 +3881,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3886,31 +3906,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3918,7 +3938,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3927,12 +3947,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3942,7 +3962,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3951,29 +3971,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3981,104 +4001,102 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4087,64 +4105,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4152,38 +4170,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4191,49 +4202,104 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+msgid "ldap_offline_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3707
+msgid "ldap_enumeration_refresh_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+msgid "ldap_enumeration_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+msgid "ldap_connection_expire_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+msgid "ldap_connection_expire_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4241,27 +4307,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4271,34 +4337,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4307,19 +4373,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4327,24 +4393,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4353,24 +4419,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4380,14 +4446,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4395,21 +4461,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4417,7 +4483,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4426,7 +4492,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4435,7 +4501,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4443,29 +4509,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4473,12 +4539,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4486,12 +4552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4500,12 +4566,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4513,19 +4579,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4542,7 +4608,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4550,17 +4616,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4569,7 +4635,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4579,7 +4645,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4599,12 +4665,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4615,69 +4681,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4690,7 +4756,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4698,7 +4764,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4707,55 +4773,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4764,17 +4830,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4782,26 +4848,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4810,17 +4876,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4830,7 +4896,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4839,59 +4905,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4900,7 +4966,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4909,7 +4975,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4918,7 +4984,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4926,12 +4992,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4961,7 +5027,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4970,7 +5036,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4978,7 +5044,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4989,7 +5055,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5003,7 +5069,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5066,7 +5132,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5167,7 +5233,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5383,12 +5449,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5396,7 +5462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5405,12 +5471,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5418,7 +5484,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5428,7 +5494,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5438,34 +5504,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5473,32 +5539,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5506,7 +5572,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5514,12 +5580,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5527,12 +5593,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5543,12 +5609,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5557,12 +5623,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5571,7 +5637,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5582,36 +5648,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5619,29 +5685,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5649,14 +5715,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5664,17 +5730,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5684,12 +5750,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5697,17 +5763,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5715,12 +5781,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5728,7 +5794,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5739,7 +5805,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5748,7 +5814,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5756,12 +5822,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5769,7 +5835,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5777,26 +5843,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5804,7 +5870,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5812,7 +5878,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5820,41 +5886,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5863,32 +5929,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5896,24 +5962,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5921,17 +5987,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5942,24 +6008,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5970,12 +6036,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5988,7 +6054,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6000,17 +6066,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6018,49 +6084,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6068,28 +6134,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6101,7 +6167,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6109,7 +6175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6117,39 +6183,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6159,7 +6225,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6167,26 +6233,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6195,7 +6261,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6203,31 +6269,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6240,51 +6306,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6293,12 +6359,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6314,12 +6380,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6328,14 +6394,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6344,24 +6410,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6369,19 +6435,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6390,7 +6456,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6398,7 +6464,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6407,7 +6473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6415,22 +6481,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6440,14 +6506,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6460,12 +6526,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6475,7 +6541,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6485,63 +6551,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6550,74 +6616,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6628,7 +6694,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6636,48 +6702,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6694,12 +6760,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6707,43 +6773,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6751,14 +6817,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6768,19 +6834,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6788,7 +6854,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6796,106 +6862,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6904,59 +6970,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6965,22 +7031,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6989,14 +7055,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7004,7 +7070,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7017,27 +7083,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7053,13 +7119,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8073,7 +8139,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9100,7 +9166,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9115,7 +9181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9130,12 +9196,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9156,12 +9222,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9185,17 +9251,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9203,17 +9269,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9221,7 +9287,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9231,7 +9297,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9248,7 +9314,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9261,12 +9327,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9285,60 +9351,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9469,26 +9535,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9507,7 +9573,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10058,39 +10124,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10098,7 +10184,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10106,7 +10192,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10114,19 +10200,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10134,26 +10220,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10162,7 +10248,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10170,12 +10256,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10186,12 +10272,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10200,7 +10286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10209,7 +10295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10218,14 +10304,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10238,7 +10324,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10247,7 +10333,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10265,24 +10351,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10291,7 +10377,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10300,12 +10386,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10315,7 +10401,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10324,7 +10410,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10333,7 +10419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10343,21 +10429,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10367,7 +10453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10382,23 +10468,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10406,22 +10492,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10432,7 +10518,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10440,74 +10526,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10517,12 +10603,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10530,12 +10616,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10551,14 +10637,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10566,7 +10652,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10578,42 +10664,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10629,7 +10715,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10637,7 +10723,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10645,7 +10731,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10657,22 +10743,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10688,7 +10774,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10696,7 +10782,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10704,7 +10790,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10716,22 +10802,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10746,14 +10832,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10761,7 +10847,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10773,23 +10859,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10805,14 +10891,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10820,7 +10906,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10831,19 +10917,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10851,7 +10937,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10863,29 +10949,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10893,12 +10979,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10911,57 +10997,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10969,17 +11055,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -10989,17 +11075,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11008,12 +11094,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11024,12 +11110,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11040,7 +11126,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11055,7 +11141,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11067,7 +11153,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11078,19 +11164,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11100,7 +11186,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11108,7 +11194,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11123,7 +11209,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11132,7 +11218,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11140,7 +11226,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11150,7 +11236,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16814,32 +16900,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17510,96 +17607,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17607,12 +17719,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/ca.po b/src/man/po/ca.po
index 668f8d6dd37..52e18a6a2ff 100644
--- a/src/man/po/ca.po
+++ b/src/man/po/ca.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2015-10-18 04:13-0400\n"
 "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
 "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
@@ -232,10 +232,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Per defecte: true"
 
@@ -256,12 +256,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Per defecte: false"
 
@@ -295,8 +295,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -326,7 +326,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Per defecte: 10"
 
@@ -412,8 +412,8 @@ msgstr ""
 "vençuts"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Per defecte: 3"
 
@@ -434,7 +434,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (cadena)"
 
@@ -456,12 +456,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -472,40 +472,40 @@ msgstr ""
 "compondre un FQN des dels components del nom d'usuari i del nom del domini."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "nom d'usuari"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 "el nom del domini tal com s'especifica al fitxer de configuració de l'SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -665,11 +665,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "Per defecte: sense establir"
 
@@ -945,8 +945,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "Per defecte: Sense establir"
 
@@ -1107,7 +1107,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Per defecte: 60"
 
@@ -1219,7 +1219,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Per defecte: 300"
 
@@ -1629,7 +1629,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr "Per defecte: 8"
 
@@ -1657,8 +1657,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Per defecte: 6"
@@ -1996,7 +1996,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -2009,7 +2009,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -2023,7 +2023,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Per defecte: 0"
 
@@ -2086,8 +2086,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Per defecte: none"
 
@@ -2152,9 +2152,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "Per defecte: False"
 
@@ -2169,7 +2169,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2272,48 +2272,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr "login"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr "su"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr "su-l"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr "gdm-smartcard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr "gdm-password"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr "sudo-i"
 
@@ -2431,7 +2431,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 #, fuzzy
 #| msgid "ad_gpo_map_service (string)"
 msgid "pam_gssapi_services"
@@ -2475,7 +2475,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -2485,7 +2485,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2505,7 +2505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Per defecte: True"
@@ -2885,25 +2885,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "ldap_schema (cadena)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2911,73 +2922,77 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"S'admeten les següents ampliacions: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2987,66 +3002,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3054,17 +3069,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3072,7 +3087,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3081,64 +3096,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "simple_deny_users (string)"
 msgid "exclude_users (string)"
 msgstr "simple_deny_users (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No users excluded."
 msgstr "Per defecte: buit, és a dir, s'utilitza ldap_uri."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "simple_deny_groups (string)"
 msgid "exclude_groups (string)"
 msgstr "simple_deny_groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No groups excluded."
 msgstr "Per defecte: buit, és a dir, s'utilitza ldap_uri."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "SECCIONS DE DOMINI"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3148,12 +3163,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3162,14 +3177,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3178,31 +3193,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id, max_id (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3211,7 +3226,7 @@ msgstr ""
 "fora d'aquests límits, s'ignora."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3224,24 +3239,24 @@ msgstr ""
 "com s'esperava."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Per defecte: 1 per a min_id, 0 (sense límit) per a max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3250,29 +3265,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Els usuaris i grups s'enumeren"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = Cap enumeració per a aquest domini"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Per defecte: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3286,7 +3301,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3296,7 +3311,7 @@ msgstr ""
 "finalitzi."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3310,39 +3325,39 @@ msgstr ""
 "ús."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3351,12 +3366,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3365,7 +3380,7 @@ msgstr ""
 "demanar al rerefons una altra vegada"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3376,139 +3391,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Per defecte: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "Per defecte: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3517,17 +3532,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3539,35 +3554,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "Per defecte: 0 (inhabilitat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Determina si les credencials d'usuari també són emmagatzemades en la memòria "
 "cau local de LDB"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3575,19 +3590,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3600,17 +3615,17 @@ msgstr ""
 "ha de ser superior o igual que offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Per defecte: 0 (sense límit)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3619,28 +3634,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Per defecte: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3648,7 +3663,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3656,8 +3671,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3666,8 +3681,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3675,19 +3690,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3700,7 +3715,7 @@ msgstr ""
 "l'usuari mentre que <command>getent passwd test@LOCAL</command> sí."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3708,24 +3723,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3737,20 +3752,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -3759,7 +3785,7 @@ msgstr ""
 "d'autenticació suportats són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3770,7 +3796,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configuració d'LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3781,7 +3807,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -3789,12 +3815,12 @@ msgstr ""
 "de PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> impossibilita l'autenticació explícitament."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -3803,12 +3829,12 @@ msgstr ""
 "gestionar les sol·licituds d'autenticació."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3819,19 +3845,19 @@ msgstr ""
 "instal·lats) Els proveïdors especials interns són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> sempre denega l'accés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3844,7 +3870,7 @@ msgstr ""
 "configuració del mòdul d'accés simple."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3852,22 +3878,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "Per defecte: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -3876,7 +3902,7 @@ msgstr ""
 "al domini.  Els proveïdors de canvi de contrasenya compatibles són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3884,7 +3910,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3895,7 +3921,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -3903,12 +3929,12 @@ msgstr ""
 "objectiu PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> rebutja els canvis de contrasenya explícitament."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -3917,17 +3943,17 @@ msgstr ""
 "gestionar peticions de canvi de contrasenya."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3935,32 +3961,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3971,7 +3997,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3980,12 +4006,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3993,7 +4019,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4001,31 +4027,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4033,7 +4059,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4042,17 +4068,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4060,43 +4086,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4104,7 +4130,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4112,7 +4138,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4120,24 +4146,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4145,31 +4171,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4177,7 +4203,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4186,12 +4212,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4201,7 +4227,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -4210,29 +4236,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4243,17 +4269,17 @@ msgstr ""
 "quote> , el domini és tot el que hi ha després\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Per defecte: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -4262,91 +4288,89 @@ msgstr ""
 "realitzar cerques de DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "Valors admesos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr "ipv4_first: Intenta resoldre l'adreça IPv4, si falla, intenta IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: Intenta resoldre només noms màquina a adreces IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr "ipv6_first: Intenta resoldre l'adreça IPv6, si falla, intenta IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: Intenta resoldre només noms màquina a adreces IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "Per defecte: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "Per defecte: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4355,12 +4379,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -4369,52 +4393,52 @@ msgstr ""
 "del domini de la consulta DNS del servei de descobriment."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "Per defecte: Utilitza la part del domini del nom de màquina"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4422,14 +4446,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder "
@@ -4442,24 +4466,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4467,53 +4484,130 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_expire_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_expire_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_expire_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
-msgstr ""
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
+msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 #, fuzzy
 #| msgid "case_sensitive (string)"
 msgid "case_sensitive"
 msgstr "case_sensitive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4523,27 +4617,27 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4553,34 +4647,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Per defecte: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4589,19 +4683,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4609,24 +4703,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4635,24 +4729,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4662,14 +4756,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4677,21 +4771,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4699,7 +4793,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4708,7 +4802,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4717,7 +4811,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4728,17 +4822,17 @@ msgstr ""
 "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "El servidor intermediari on reenvia PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -4747,12 +4841,12 @@ msgstr ""
 "de pam existent o crear-ne una de nova i afegir aquí el nom del servei."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4763,12 +4857,12 @@ msgstr ""
 "format _nss_$(libName)_$(function), per exemple _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4776,12 +4870,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4790,12 +4884,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4803,7 +4897,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -4812,12 +4906,12 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4834,7 +4928,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4842,17 +4936,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4861,7 +4955,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4871,7 +4965,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4891,12 +4985,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4907,69 +5001,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4982,7 +5076,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4990,7 +5084,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4999,55 +5093,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5056,17 +5150,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5074,26 +5168,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -5102,17 +5196,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -5122,7 +5216,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -5131,59 +5225,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -5192,7 +5286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -5201,7 +5295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -5210,7 +5304,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -5218,12 +5312,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5277,7 +5371,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -5286,7 +5380,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -5294,7 +5388,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -5305,7 +5399,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5319,7 +5413,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5395,7 +5489,7 @@ msgstr ""
 "informació sobre l'ús d'LDAP com un proveïdor d'accés."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5499,7 +5593,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Exemples:"
@@ -5722,12 +5816,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5738,7 +5832,7 @@ msgstr ""
 "los per estalviar espai."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5747,12 +5841,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5764,7 +5858,7 @@ msgstr ""
 "RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5774,7 +5868,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5784,34 +5878,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "Per defecte: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5819,32 +5913,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Per defecte: el valor de <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5852,7 +5946,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5860,12 +5954,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5873,12 +5967,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5895,12 +5989,12 @@ msgstr ""
 "manvolnum></citerefentry> retorna en cas de cap activitat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5909,12 +6003,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5923,7 +6017,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5934,38 +6028,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "Per defecte: 900 (15 minuts)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5973,29 +6067,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -6003,14 +6097,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -6018,17 +6112,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -6038,12 +6132,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -6051,17 +6145,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -6069,12 +6163,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -6082,7 +6176,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -6093,7 +6187,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -6102,7 +6196,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -6110,12 +6204,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -6123,7 +6217,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -6131,12 +6225,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -6146,7 +6240,7 @@ msgstr ""
 "valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -6155,7 +6249,7 @@ msgstr ""
 "certificat del servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6167,7 +6261,7 @@ msgstr ""
 "normalment."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6178,7 +6272,7 @@ msgstr ""
 "proporciona un certificat dolent, immediatament s'acaba la sessió."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -6189,22 +6283,22 @@ msgstr ""
 "immediatament s'acaba la sessió."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "Per defecte: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -6213,7 +6307,7 @@ msgstr ""
 "Certificació que reconeixerà l'<command>sssd</command>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -6222,12 +6316,12 @@ msgstr ""
 "<filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -6241,32 +6335,32 @@ msgstr ""
 "correctes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -6274,12 +6368,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -6288,12 +6382,12 @@ msgstr ""
 "class=\"protocol\">tls</systemitem> per a protegir el canal."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -6301,17 +6395,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -6322,24 +6416,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -6350,12 +6444,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -6368,7 +6462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6380,17 +6474,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6398,51 +6492,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "Per defecte: el valor de krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Per defecte: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Per defecte: Fitxer keytab de sistema, normalment <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6450,28 +6544,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Per defecte: 86400 (24 hores)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6483,7 +6577,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6494,7 +6588,7 @@ msgstr ""
 "retorna a _tcp si no se'n troba cap."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6506,41 +6600,41 @@ msgstr ""
 "<quote>krb5_server</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Per defecte: Paràmetres predeterminats del sistema, vegeu <filename>/etc/"
 "krb5.conf</filename>"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6550,7 +6644,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6558,12 +6652,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -6572,7 +6666,7 @@ msgstr ""
 "costat del client. S'admeten els valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -6581,7 +6675,7 @@ msgstr ""
 "opció no inhabilita les polítiques de contrasenya de servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6590,7 +6684,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6602,25 +6696,25 @@ msgstr ""
 "contrasenya."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 "Especifica si el seguiment automàtic del referenciador s'hauria d'habilitar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -6629,7 +6723,7 @@ msgstr ""
 "quan es compila amb la versió 2.4.13 o superiors d'OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6642,29 +6736,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Especifica el nom de servei per utilitzar quan està habilitada la detecció "
 "de serveis."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "Per defecte: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -6674,25 +6768,25 @@ msgstr ""
 "dels serveis."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 "Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6701,12 +6795,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6722,12 +6816,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Exemple:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6736,14 +6830,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6752,17 +6846,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "Per defecte: Buit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -6771,7 +6865,7 @@ msgstr ""
 "d'atributs de control d'accés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6783,12 +6877,12 @@ msgstr ""
 "contrasenya és correcta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "S'admeten els valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -6797,7 +6891,7 @@ msgstr ""
 "determinar si el compte ha caducat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6806,7 +6900,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6814,7 +6908,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6823,7 +6917,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6831,24 +6925,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Llista separada per comes d'opcions de control d'accés. Els valors permesos "
 "són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: utilitza ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6858,14 +6952,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6878,12 +6972,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: utilitza ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6893,7 +6987,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6903,20 +6997,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -6925,31 +7019,31 @@ msgstr ""
 "authorizedService per determinar l'accés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Per defecte: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -6958,12 +7052,12 @@ msgstr ""
 "s'utilitza més d'una vegada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6972,22 +7066,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Exemple: cn=ppolicy,ou=policies,dc=exemple,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr "Per defecte: cn=ppolicy,ou=policies,$ldap_search_base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -6996,13 +7090,13 @@ msgstr ""
 "es fa una cerca. S'admeten les opcions següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 "<emphasis>never</emphasis>: les referències dels àlies mai són eliminades."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -7012,7 +7106,7 @@ msgstr ""
 "de la cerca."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -7021,7 +7115,7 @@ msgstr ""
 "només en localitzar l'objecte base de la cerca."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -7030,7 +7124,7 @@ msgstr ""
 "en la recerca i en la localització de l'objecte base de la cerca."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -7039,19 +7133,19 @@ msgstr ""
 "biblioteques de client LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -7062,7 +7156,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -7070,50 +7164,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "debug_level (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "debug_level (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 #, fuzzy
 #| msgid "Default: 0 (disabled)"
 msgid "Default: 0 (libldap debugging disabled)"
@@ -7132,12 +7226,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "OPCIONS DE SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -7145,43 +7239,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "Per defecte: 21600 (6 hores)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -7189,14 +7283,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -7206,21 +7300,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 #, fuzzy
 #| msgid "ldap_idmap_range_size (integer)"
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_idmap_range_size (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -7228,7 +7322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -7236,106 +7330,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -7344,59 +7438,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "OPCIONS D'AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr "Per defecte: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "OPCIONS AVANÇADES"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7405,22 +7499,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7429,14 +7523,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "EXEMPLE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7447,7 +7541,7 @@ msgstr ""
 "replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7460,27 +7554,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7496,13 +7590,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8608,7 +8702,7 @@ msgstr ""
 "s'avaluen els grups locals."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9668,7 +9762,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (booleà)"
 
@@ -9683,7 +9777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9698,12 +9792,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9724,12 +9818,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9753,17 +9847,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9771,19 +9865,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_iface (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9791,7 +9885,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9801,7 +9895,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9818,7 +9912,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (enter)"
 
@@ -9831,12 +9925,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9855,60 +9949,60 @@ msgid "Default: False (disabled)"
 msgstr "Per defecte: False (inhabilitat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -10043,26 +10137,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -10081,7 +10175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "Per defecte: 5 (segons)"
 
@@ -10642,39 +10736,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10682,7 +10796,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10690,7 +10804,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10698,19 +10812,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10718,26 +10832,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10746,7 +10860,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10754,12 +10868,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10770,12 +10884,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10784,7 +10898,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10793,7 +10907,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10802,14 +10916,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10822,7 +10936,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10831,7 +10945,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10849,24 +10963,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr "ad_site (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10875,7 +10989,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10884,12 +10998,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10899,7 +11013,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10908,7 +11022,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10917,7 +11031,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10927,21 +11041,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10951,7 +11065,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10966,23 +11080,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10990,22 +11104,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr "Per defecte: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr "Per defecte: enforcing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -11016,7 +11130,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -11024,82 +11138,82 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "all users are allowed"
 msgstr "S'admeten els valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "only users in allow-rules are allowed"
 msgstr "S'admeten els valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 #, fuzzy
 #| msgid "ad_gpo_map_deny (string)"
 msgid "ad_gpo_implicit_deny = True"
 msgstr "ad_gpo_map_deny (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "no users are allowed"
 msgstr "S'admeten els valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -11109,12 +11223,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -11122,12 +11236,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -11143,14 +11257,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -11160,7 +11274,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11172,42 +11286,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr "gdm-fingerprint"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -11223,7 +11337,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -11231,7 +11345,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -11241,7 +11355,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11253,22 +11367,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr "sshd"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -11284,7 +11398,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -11292,7 +11406,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -11302,7 +11416,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11314,22 +11428,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr "ftp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr "samba"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -11344,14 +11458,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -11361,7 +11475,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11373,23 +11487,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr "crond"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -11405,14 +11519,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -11422,7 +11536,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -11433,19 +11547,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -11455,7 +11569,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11467,29 +11581,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr "systemd-user"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -11499,12 +11613,12 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -11517,57 +11631,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -11575,17 +11689,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -11595,17 +11709,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11614,12 +11728,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11630,14 +11744,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 #, fuzzy
 #| msgid "ldap_sudo_include_netgroups (boolean)"
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "ldap_sudo_include_netgroups (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11648,7 +11762,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11663,7 +11777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11675,7 +11789,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11686,19 +11800,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr "Per defecte: 3600 (segons)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11708,7 +11822,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11716,7 +11830,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11740,7 +11854,7 @@ msgstr ""
 "ad_domain = exemple.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11752,7 +11866,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11760,7 +11874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11770,7 +11884,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -17726,32 +17840,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -18479,96 +18604,121 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "The descriptions of some of the configuration options in this manual page "
+#| "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+#| "<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP "
+#| "2.4 distribution."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"Les descripcions d'algunes de les opcions de configuració en aquesta pàgina "
+"del manual es basen en la pàgina del manual <citerefentry>de "
+"<refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum></"
+"citerefentry> de la distribució d'OpenLDAP 2.4."
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (cadena)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr "<emphasis>s</emphasis> per segons"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr "<emphasis>m</emphasis> per minuts"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr "<emphasis>h</emphasis> per hores"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr "<emphasis>d</emphasis> per dies."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (cadena)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr "krb5_renew_interval (cadena)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -18576,12 +18726,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/cs.po b/src/man/po/cs.po
index bb8d2e2cfff..ab7108e9210 100644
--- a/src/man/po/cs.po
+++ b/src/man/po/cs.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2022-05-20 09:18+0000\n"
 "Last-Translator: Pavel Borecki <pavel.borecki@gmail.com>\n"
 "Language-Team: Czech <https://translate.fedoraproject.org/projects/sssd/sssd-"
@@ -224,10 +224,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Výchozí: true (pravda)"
 
@@ -245,12 +245,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Výchozí: false (nepravda)"
 
@@ -282,8 +282,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -313,7 +313,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -391,8 +391,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Výchozí: 3"
 
@@ -413,7 +413,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -433,12 +433,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (řetězec)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -446,39 +446,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "uživatelské jméno"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -620,11 +620,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -890,8 +890,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1038,7 +1038,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1148,7 +1148,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1522,7 +1522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1550,8 +1550,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1861,7 +1861,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr "Zobrazit varování N dnů před skončením platnosti hesla."
 
@@ -1874,7 +1874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1888,7 +1888,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1951,8 +1951,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -2017,9 +2017,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -2034,7 +2034,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2130,48 +2130,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2289,7 +2289,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2323,7 +2323,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2333,7 +2333,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2353,7 +2353,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2715,25 +2715,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "krb5_rcache_dir (řetězec)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2741,73 +2752,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2817,66 +2826,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2887,17 +2896,17 @@ msgstr ""
 "mezer, změně velikosti písmen, atd."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2908,7 +2917,7 @@ msgstr ""
 "nahrazení mezer, změn velikosti písmen, atd."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2917,60 +2926,60 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "simple_deny_users (string)"
 msgid "exclude_users (string)"
 msgstr "simple_deny_users (řetězec)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "simple_deny_groups (string)"
 msgid "exclude_groups (string)"
 msgstr "simple_deny_groups (řetězec)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2980,12 +2989,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2994,14 +3003,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3010,38 +3019,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3050,24 +3059,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3076,29 +3085,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3112,14 +3121,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3128,39 +3137,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3169,19 +3178,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3192,108 +3201,108 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -3302,31 +3311,31 @@ msgstr ""
 "dlouhou dobu ponechávat klíč hostitel v mezipaměti."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3335,17 +3344,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3357,33 +3366,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3395,19 +3404,19 @@ msgstr ""
 "otisk do mezipaměti."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3416,17 +3425,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3435,28 +3444,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3464,7 +3473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3472,8 +3481,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3482,8 +3491,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3491,19 +3500,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3512,7 +3521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3520,24 +3529,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3549,27 +3558,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3577,7 +3597,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3585,30 +3605,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3616,19 +3636,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3637,7 +3657,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3645,29 +3665,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3675,7 +3695,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3683,35 +3703,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3719,32 +3739,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3755,7 +3775,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3764,12 +3784,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3777,7 +3797,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3785,31 +3805,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3817,7 +3837,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3826,17 +3846,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3844,43 +3864,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3888,7 +3908,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3896,7 +3916,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3904,24 +3924,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3929,31 +3949,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3961,7 +3981,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3970,12 +3990,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3985,7 +4005,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3996,29 +4016,29 @@ msgstr ""
 # auto translated by TM merge from project: Fedora Websites, version:
 # fedorahosted.org, DocId: po/fedorahosted
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4026,108 +4046,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "dns_resolver_timeout"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "dns_resolver_op_timeout"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_op_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4136,64 +4154,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4201,38 +4219,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4240,49 +4251,120 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "dns_resolver_timeout"
+msgid "ldap_search_timeout"
+msgstr "dns_resolver_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "dns_resolver_timeout"
+msgid "ldap_network_timeout"
+msgstr "dns_resolver_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "dns_resolver_op_timeout"
+msgid "ldap_opt_timeout"
+msgstr "dns_resolver_op_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "dns_resolver_timeout"
+msgid "ldap_offline_timeout"
+msgstr "dns_resolver_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "dns_resolver_op_timeout"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "dns_resolver_op_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "dns_resolver_op_timeout"
+msgid "ldap_enumeration_search_timeout"
+msgstr "dns_resolver_op_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "dns_resolver_op_timeout"
+msgid "ldap_connection_expire_timeout"
+msgstr "dns_resolver_op_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "dns_resolver_op_timeout"
+msgid "ldap_connection_expire_offset"
+msgstr "dns_resolver_op_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4290,27 +4372,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4320,34 +4402,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr "Různé štítky uložené službou nastavování realmd pro tuto doménu."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4356,19 +4438,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4376,24 +4458,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4402,24 +4484,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4429,14 +4511,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4444,21 +4526,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4466,7 +4548,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4475,7 +4557,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4484,7 +4566,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4492,29 +4574,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4522,12 +4604,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4535,12 +4617,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4549,12 +4631,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4562,19 +4644,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4591,7 +4673,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4599,17 +4681,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4618,7 +4700,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4628,7 +4710,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4648,12 +4730,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4664,69 +4746,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4739,7 +4821,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4747,7 +4829,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4756,55 +4838,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4813,17 +4895,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4831,26 +4913,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4859,17 +4941,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4879,7 +4961,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4888,59 +4970,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4949,7 +5031,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4958,7 +5040,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4967,7 +5049,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4975,12 +5057,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5010,7 +5092,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -5019,7 +5101,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -5027,7 +5109,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -5038,7 +5120,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5052,7 +5134,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5115,7 +5197,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5216,7 +5298,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5434,12 +5516,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5447,7 +5529,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5456,12 +5538,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5469,7 +5551,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5479,7 +5561,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5489,34 +5571,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5524,32 +5606,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5557,7 +5639,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5565,12 +5647,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5578,12 +5660,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5594,12 +5676,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5608,12 +5690,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5622,7 +5704,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5633,38 +5715,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "dns_resolver_op_timeout"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "dns_resolver_op_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5672,29 +5754,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5702,14 +5784,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5717,17 +5799,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5737,12 +5819,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5750,17 +5832,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5768,12 +5850,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5781,7 +5863,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5792,7 +5874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5801,7 +5883,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5809,12 +5891,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5822,7 +5904,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5830,26 +5912,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5857,7 +5939,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5865,7 +5947,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5873,41 +5955,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5916,32 +5998,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5949,24 +6031,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5974,17 +6056,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5995,24 +6077,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -6023,12 +6105,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -6041,7 +6123,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6053,17 +6135,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6071,49 +6153,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6121,28 +6203,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6154,7 +6236,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6162,7 +6244,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6170,39 +6252,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6212,7 +6294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6220,26 +6302,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6248,7 +6330,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6256,31 +6338,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6293,51 +6375,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6346,12 +6428,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6367,12 +6449,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6381,14 +6463,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6397,24 +6479,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6422,19 +6504,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6443,7 +6525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6451,7 +6533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6460,7 +6542,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6468,22 +6550,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6493,14 +6575,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6513,12 +6595,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6528,7 +6610,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6538,63 +6620,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6603,67 +6685,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -6672,7 +6754,7 @@ msgstr ""
 "používají schéma dle normy RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6683,7 +6765,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6691,50 +6773,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "ldap_idmap_range_size (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "ldap_idmap_range_size (celé číslo)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6751,12 +6833,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6764,43 +6846,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6808,14 +6890,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6825,21 +6907,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 #, fuzzy
 #| msgid "ldap_idmap_range_size (integer)"
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_idmap_range_size (celé číslo)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6847,7 +6929,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6855,106 +6937,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6963,59 +7045,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "Název v LDAP hlavní mapy pro automatické připojování."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7024,22 +7106,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7048,14 +7130,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7063,7 +7145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7076,27 +7158,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7112,13 +7194,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8138,7 +8220,7 @@ msgstr ""
 "vyhodnocovány."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9176,7 +9258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9191,7 +9273,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9206,12 +9288,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9232,12 +9314,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9261,17 +9343,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9279,17 +9361,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9297,7 +9379,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9307,7 +9389,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9324,7 +9406,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9337,12 +9419,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9361,60 +9443,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9547,26 +9629,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9585,7 +9667,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10136,39 +10218,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10176,7 +10278,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10184,7 +10286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10192,19 +10294,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10212,26 +10314,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10240,7 +10342,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10248,12 +10350,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10264,12 +10366,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10278,7 +10380,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10287,7 +10389,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10296,14 +10398,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10316,7 +10418,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10325,7 +10427,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10343,24 +10445,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10369,7 +10471,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10378,12 +10480,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10393,7 +10495,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10402,7 +10504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10411,7 +10513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10421,21 +10523,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10445,7 +10547,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10460,23 +10562,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10484,22 +10586,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10510,7 +10612,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10518,74 +10620,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10595,12 +10697,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10608,12 +10710,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10629,14 +10731,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10644,7 +10746,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10656,42 +10758,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10707,7 +10809,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10715,7 +10817,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10723,7 +10825,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10735,22 +10837,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10766,7 +10868,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10774,7 +10876,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10782,7 +10884,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10794,22 +10896,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10824,14 +10926,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10839,7 +10941,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10851,23 +10953,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10883,14 +10985,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10898,7 +11000,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10909,19 +11011,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10929,7 +11031,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10941,29 +11043,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10971,12 +11073,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10989,57 +11091,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -11047,17 +11149,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -11067,17 +11169,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11086,12 +11188,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11102,12 +11204,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11118,7 +11220,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11133,7 +11235,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11145,7 +11247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11156,19 +11258,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11178,7 +11280,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11186,7 +11288,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11201,7 +11303,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11210,7 +11312,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11218,7 +11320,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11228,7 +11330,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16894,32 +16996,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr "Vestavěné"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17590,96 +17703,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17687,12 +17815,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/de.po b/src/man/po/de.po
index db49af488da..5d593c37cf2 100644
--- a/src/man/po/de.po
+++ b/src/man/po/de.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2021-02-02 14:40+0000\n"
 "Last-Translator: Sumit Bose <sbose@redhat.com>\n"
 "Language-Team: German <https://translate.fedoraproject.org/projects/sssd/"
@@ -220,10 +220,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Voreinstellung: »true«"
 
@@ -241,12 +241,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Voreinstellung: »false«"
 
@@ -280,8 +280,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -311,7 +311,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Voreinstellung: 10"
 
@@ -397,8 +397,8 @@ msgstr ""
 "startet."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Voreinstellung: 3"
 
@@ -419,7 +419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (Zeichenkette)"
 
@@ -442,12 +442,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -459,32 +459,32 @@ msgstr ""
 "zusammengestellt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr "Domain-Name, wie er durch die SSSD-Konfigurationsdatei angegeben wird"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -493,7 +493,7 @@ msgstr ""
 "direkt konfiguriert als auch über IPA-Trust"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -652,11 +652,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "Voreinstellung: nicht gesetzt"
 
@@ -930,8 +930,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "Voreinstellung: Nicht gesetzt"
 
@@ -1098,7 +1098,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Voreinstellung: 60"
 
@@ -1208,7 +1208,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Voreinstellung: 300"
 
@@ -1639,7 +1639,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1667,8 +1667,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Voreinstellung: 6"
@@ -2012,7 +2012,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr "zeigt N Tage vor Ablauf des Passworts eine Warnung an."
 
@@ -2028,7 +2028,7 @@ msgstr ""
 "SSSD keine Warnung anzeigen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -2047,7 +2047,7 @@ msgstr ""
 "emphasis> für eine bestimmte Domain außer Kraft gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Voreinstellung: 0"
 
@@ -2110,8 +2110,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Voreinstellung: none"
 
@@ -2176,9 +2176,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "Voreinstellung: False"
 
@@ -2193,7 +2193,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2296,48 +2296,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2455,7 +2455,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2496,7 +2496,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2506,7 +2506,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2526,7 +2526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Voreinstellung: True"
@@ -2923,25 +2923,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "ldap_schema (Zeichenkette)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2949,73 +2960,77 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Die folgenden Erweiterungen werden unterstützt: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -3025,66 +3040,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3092,17 +3107,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3110,7 +3125,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3119,64 +3134,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "simple_deny_users (string)"
 msgid "exclude_users (string)"
 msgstr "simple_deny_users (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No users excluded."
 msgstr "Voreinstellung: leer, d.h., dass »ldap_uri« benutzt wird"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "simple_deny_groups (string)"
 msgid "exclude_groups (string)"
 msgstr "simple_deny_groups (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No groups excluded."
 msgstr "Voreinstellung: leer, d.h., dass »ldap_uri« benutzt wird"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "DOMAIN-ABSCHNITTE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3186,12 +3201,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3200,14 +3215,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3216,31 +3231,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3249,7 +3264,7 @@ msgstr ""
 "enthält, der jenseits dieser Beschränkungen liegt, wird er ignoriert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3262,7 +3277,7 @@ msgstr ""
 "werden jene, die im Bereich liegen, wie erwartet gemeldet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -3271,17 +3286,17 @@ msgstr ""
 "den Zwischenspeicher und nicht nur ihre Rückgabe über Name oder ID."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Voreinstellung: 1 für »min_id«, 0 (keine Beschränkung) für »max_id«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3290,29 +3305,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Benutzer und Gruppen werden aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = keine Aufzählungen für diese Domain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Voreinstellung: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3326,7 +3341,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3336,7 +3351,7 @@ msgstr ""
 "Ergebnisse zurück."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3351,7 +3366,7 @@ msgstr ""
 "benutzten »id_provider«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -3360,32 +3375,32 @@ msgstr ""
 "insbesondere in großen Umgebungen, nicht empfohlen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Alle entdeckten vertrauenswürdigen Domains werden aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Keine der entdeckten vertrauenswürdigen Domains wird aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3399,12 +3414,12 @@ msgstr ""
 "Domains aktivieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3413,7 +3428,7 @@ msgstr ""
 "soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3431,17 +3446,17 @@ msgstr ""
 "wurden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Voreinstellung: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -3450,19 +3465,19 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "Voreinstellung: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -3471,12 +3486,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -3485,12 +3500,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -3499,24 +3514,24 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -3525,12 +3540,12 @@ msgstr ""
 "bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -3540,36 +3555,36 @@ msgstr ""
 "wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -3579,7 +3594,7 @@ msgstr ""
 "abgelaufenen oder beinahe abgelaufenen Daten aktualisiert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3588,19 +3603,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Sie können in Betracht ziehen, diesen Wert auf 3/4 * entry_cache_timeout zu "
 "setzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3612,37 +3627,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "Voreinstellung: 0 (deaktiviert)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "bestimmt, ob auch Benutzerberechtigungen im lokalen LDB-Zwischenspeicher "
 "zwischengespeichert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Benutzerberechtigungen werden in einem SHA512-Hash, nicht im Klartext "
 "gespeichert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3654,19 +3669,19 @@ msgstr ""
 "gespeichert zu werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3679,17 +3694,17 @@ msgstr ""
 "Parameters muss größer oder gleich »offline_credentials_expiration« sein."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Voreinstellung: 0 (unbegrenzt)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3702,17 +3717,17 @@ msgstr ""
 "Authentifizierungsanbieter konfiguriert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Voreinstellung: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -3720,12 +3735,12 @@ msgstr ""
 "werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3733,7 +3748,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3744,8 +3759,8 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3758,8 +3773,8 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3771,12 +3786,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -3786,7 +3801,7 @@ msgstr ""
 "Benutzers, der an NSS gemeldet wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3800,7 +3815,7 @@ msgstr ""
 "test@LOCAL</command> würde ihn hingegen finden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3812,24 +3827,24 @@ msgstr ""
 "nicht voll qualifizierter Name angefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr "gibt beim Nachschlagen der Gruppe nicht die Gruppenmitglieder zurück."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3841,20 +3856,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -3863,7 +3889,7 @@ msgstr ""
 "Authentifizierungsanbieter werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3874,7 +3900,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3886,19 +3912,19 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 "»proxy« zur Weitergabe der Authentifizierung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "»none« deaktiviert explizit die Authentifizierung."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -3907,12 +3933,12 @@ msgstr ""
 "mit Authentifizierungsanfragen umgehen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3923,7 +3949,7 @@ msgstr ""
 "Backends enthalten sind). Interne Spezialanbieter sind:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -3932,12 +3958,12 @@ msgstr ""
 "für eine lokale Domain."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "»deny« verweigert dem Zugriff immer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3950,7 +3976,7 @@ msgstr ""
 "simple</refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3958,22 +3984,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "Voreinstellung: »permit«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -3982,7 +4008,7 @@ msgstr ""
 "Folgende Anbieter von Passwortänderungen werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3990,7 +4016,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4002,19 +4028,19 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 "»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "»none« verbietet explizit Passwortänderungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -4023,19 +4049,19 @@ msgstr ""
 "kann mit Passwortänderungsanfragen umgehen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "der für diese Domain benutzte Sudo-Anbieter. Folgende Sudo-Anbieter werden "
 "unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4046,7 +4072,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -4055,7 +4081,7 @@ msgstr ""
 "Vorgabeeinstellungen für IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -4064,19 +4090,19 @@ msgstr ""
 "Vorgabeeinstellungen für AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "»none« deaktiviert explizit Sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Voreinstellung: Falls gesetzt, wird der Wert von »id_provider« benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -4093,7 +4119,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -4102,12 +4128,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -4118,7 +4144,7 @@ msgstr ""
 "Zugriffsanbieter beendet hat. Folgende SELinux-Anbieter werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4130,12 +4156,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr "»none« verbietet explizit das Abholen von SELinux-Einstellungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -4144,12 +4170,12 @@ msgstr ""
 "kann SELinux-Ladeanfragen handhaben."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -4159,7 +4185,7 @@ msgstr ""
 "werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4171,7 +4197,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4180,17 +4206,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "»none« deaktiviert explizit das Abholen von Subdomains."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4198,37 +4224,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -4236,7 +4262,7 @@ msgstr ""
 "»autofs« werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4248,7 +4274,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4260,7 +4286,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4268,17 +4294,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "»none« deaktiviert explizit »autofs«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -4287,7 +4313,7 @@ msgstr ""
 "wird. Folgende Anbieter von »hostid« werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4299,31 +4325,31 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "»none« deaktiviert explizit »hostid«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4331,7 +4357,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4340,12 +4366,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4360,7 +4386,7 @@ msgstr ""
 "(NetBIOS-) Namen der Domain entsprechen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 #, fuzzy
 #| msgid ""
 #| "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
@@ -4378,22 +4404,22 @@ msgstr ""
 "P&lt;Name&gt;[^@\\\\]+)$))« "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr "Benutzername@Domain.Name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr "Domain\\Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -4403,7 +4429,7 @@ msgstr ""
 "Windows-Domains zu ermöglichen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4413,17 +4439,17 @@ msgstr ""
 "bedeutet »der Name ist alles bis zum »@«-Zeichen, die Domain alles danach«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Voreinstellung: »%1$s@%2$s«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -4431,95 +4457,93 @@ msgstr ""
 "ermöglicht es, die bei DNS-Abfragen zu bevorzugende Adressfamilie zu wählen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "unterstützte Werte:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: versucht die IPv4- und, falls dies fehlschlägt, die IPv6-Adresse "
 "nachzuschlagen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: versucht, nur Rechnernamen zu IPv4-Adressen aufzulösen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: versucht die IPv6- und, falls dies fehlschlägt, die IPv4-Adresse "
 "nachzuschlagen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: versucht, nur Rechnernamen zu IPv6-Adressen aufzulösen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "Voreinstellung: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "Voreinstellung: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4528,12 +4552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -4542,52 +4566,52 @@ msgstr ""
 "DNS-Dienstabfrage an."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "Voreinstellung: Der Domain-Teil des Rechnernamens wird benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr "überschreibt die Haupt-GID mit der angegebenen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4595,14 +4619,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder "
@@ -4615,24 +4639,17 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4640,51 +4657,128 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr ""
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_expire_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout (integer)"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_expire_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_expire_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4692,27 +4786,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "flacher (NetBIOS-) Name einer Subdomain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4727,7 +4821,7 @@ msgstr ""
 "verwendet werden.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -4735,17 +4829,17 @@ msgstr ""
 "überschrieben werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Voreinstellung: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -4753,12 +4847,12 @@ msgstr ""
 "Kennzeichnungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4767,19 +4861,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4787,24 +4881,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4813,24 +4907,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4840,14 +4934,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4855,21 +4949,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4877,7 +4971,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4886,7 +4980,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4895,7 +4989,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4907,17 +5001,17 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "das Proxy-Ziel, an das PAM weiterleitet"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -4927,12 +5021,12 @@ msgstr ""
 "hinzufügen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4943,12 +5037,12 @@ msgstr ""
 "»_nss_$(libName)_$(function)«, zum Beispiel »_nss_files_getpwent«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4956,12 +5050,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4975,12 +5069,12 @@ msgstr ""
 "veranlassen, die ID im Zwischenspeicher nachzuschlagen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4988,7 +5082,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -4997,12 +5091,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -5019,7 +5113,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -5027,17 +5121,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -5046,7 +5140,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -5056,7 +5150,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5076,12 +5170,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -5092,69 +5186,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -5167,7 +5261,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -5175,7 +5269,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -5184,55 +5278,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5241,17 +5335,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5259,26 +5353,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -5287,17 +5381,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -5307,7 +5401,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -5316,59 +5410,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -5377,7 +5471,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -5386,7 +5480,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -5395,7 +5489,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -5403,12 +5497,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5462,7 +5556,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -5471,7 +5565,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -5479,7 +5573,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -5490,7 +5584,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5504,7 +5598,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5581,7 +5675,7 @@ msgstr ""
 "unter »ldap_access_filter«."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5705,7 +5799,7 @@ msgstr ""
 "rfc/rfc2254.txt spezifiziert, sein."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Beispiele:"
@@ -5954,12 +6048,12 @@ msgstr ""
 "Zwischenspeicher aufgezählter Datensätze aktualisiert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5970,7 +6064,7 @@ msgstr ""
 "haben) und diese entfernt werden, um Platz zu sparen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5979,12 +6073,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5996,7 +6090,7 @@ msgstr ""
 "das Schema RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -6013,7 +6107,7 @@ msgstr ""
 "erfolgt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -6023,12 +6117,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "Voreinstellung: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -6038,24 +6132,24 @@ msgstr ""
 "und neuere Versionen ausgeführt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "optional, verwendet die angegebene Zeichenkette als Suchgrundlage für "
 "Rechnerobjekte"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -6065,32 +6159,32 @@ msgstr ""
 "unter »ldap_search_base«."
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Voreinstellung: der Wert von <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -6101,7 +6195,7 @@ msgstr ""
 "Ergebnisse zurückgegeben werden (und in den Offline-Modus gegangen wird)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -6112,12 +6206,12 @@ msgstr ""
 "Zeitüberschreitungspunkten für spezielle Nachschlagetypen ersetzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -6129,12 +6223,12 @@ msgstr ""
 "(und in den Offline-Modus gegangen wird)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -6151,12 +6245,12 @@ msgstr ""
 "citerefentry> zurückkehrt, falls keine Aktivität stattfindet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -6165,12 +6259,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -6184,7 +6278,7 @@ msgstr ""
 "Lebensdauer) verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -6195,38 +6289,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "Voreinstellung: 900 (15 Minuten)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 #, fuzzy
 #| msgid ""
 #| "Specifies a timeout (in seconds) that a connection to an LDAP server will "
@@ -6245,17 +6339,17 @@ msgstr ""
 "Lebensdauer) verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -6265,12 +6359,12 @@ msgstr ""
 "pro Anfrage."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -6282,7 +6376,7 @@ msgstr ""
 "deaktiviert ist oder sich nicht ordnungsgemäß verhält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -6292,7 +6386,7 @@ msgstr ""
 "aber nicht in der Lage, es zu benutzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -6304,17 +6398,17 @@ msgstr ""
 "abgelehnt werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr "deaktiviert die Bereichsabfrage von Active Directory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -6330,12 +6424,12 @@ msgstr ""
 "es so aussehen, als ob große Gruppen keine Mitglieder hätten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -6346,19 +6440,19 @@ msgstr ""
 "Werte dieser Option werden durch OpenLDAP definiert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Voreinstellung: verwendet die Voreinstellungen des System (normalerweise in "
 "»ldap.conf« angegeben)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -6366,12 +6460,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -6383,7 +6477,7 @@ msgstr ""
 "nachgeschlagen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -6394,7 +6488,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -6407,7 +6501,7 @@ msgstr ""
 "unterstützten Server sind 389/RHDS, OpenLDAP und Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -6418,12 +6512,12 @@ msgstr ""
 "Nachschlagen ohne Rücksicht auf die Einstellung deaktiviert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -6431,7 +6525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -6439,12 +6533,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -6454,7 +6548,7 @@ msgstr ""
 "Werte angegeben werden:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -6463,7 +6557,7 @@ msgstr ""
 "oder anfordern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6475,7 +6569,7 @@ msgstr ""
 "Sitzung fährt normal fort."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6486,7 +6580,7 @@ msgstr ""
 "ungültiges Zertifikat bereitgestellt wird, wird die Sitzung sofort beendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -6497,22 +6591,22 @@ msgstr ""
 "sofort beendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = entspricht »demand«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "Voreinstellung: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -6521,7 +6615,7 @@ msgstr ""
 "die <command>sssd</command> erkennen wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -6530,12 +6624,12 @@ msgstr ""
 "<filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -6549,33 +6643,33 @@ msgstr ""
 "Erstellen der korrekten Namen verwendet werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 "gibt die Datei an, die das Zertifikat für den Schlüssel des Clients enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr "gibt die Datei an, die den Schlüssel des Clients enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -6583,12 +6677,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -6597,12 +6691,12 @@ msgstr ""
 "class=\"protocol\">tls</systemitem> benutzen muss, um den Kanal abzusichern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -6614,19 +6708,19 @@ msgstr ""
 "verlassen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "Derzeit unterstützt diese Funktionalität nur das Abbilden von Active-"
 "Directory-ObjectSIDs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -6645,24 +6739,24 @@ msgstr ""
 "Abbildung von IDs wählen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr "Voreinstellung: nicht gesetzt (beide Optionen sind auf 0 gesetzt)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -6673,12 +6767,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -6691,7 +6785,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6703,17 +6797,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr "Voreinstellung Rechner/MeinRechner@BEREICH"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6724,17 +6818,17 @@ msgstr ""
 "»ldap_sasl_authid« ebenfalls den Realm enthält, wird diese Option ignoriert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "Voreinstellung: der Wert von »krb5_realm«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -6744,34 +6838,34 @@ msgstr ""
 "Bind in eine kanonische Form zu bringen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Voreinstellung: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Voreinstellung: Keytab des Systems, normalerweise <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6779,28 +6873,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Voreinstellung: 86400 (24 Stunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6819,7 +6913,7 @@ msgstr ""
 "Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6830,7 +6924,7 @@ msgstr ""
 "Protokoll angeben. Falls keine gefunden werden, weicht es auf _tcp aus."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6842,29 +6936,29 @@ msgstr ""
 "migrieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Voreinstellung: Systemvoreinstellungen, siehe <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -6874,12 +6968,12 @@ msgstr ""
 "Kerberos >= 1.7 verfügbar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6895,7 +6989,7 @@ msgstr ""
 "manvolnum> </citerefentry> einrichten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6906,12 +7000,12 @@ msgstr ""
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -6920,7 +7014,7 @@ msgstr ""
 "Passworts abgeschätzt werden soll. Die folgenden Werte sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -6929,7 +7023,7 @@ msgstr ""
 "kann keine Server-seitigen Passwortregelwerke deaktivieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 #, fuzzy
 #| msgid ""
 #| "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
@@ -6946,7 +7040,7 @@ msgstr ""
 "manvolnum></citerefentry>, um abzuschätzen, ob das Passwort erloschen ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6958,7 +7052,7 @@ msgstr ""
 "Passwort geändert wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -6968,17 +7062,17 @@ msgstr ""
 "festgelegten Regel."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr "gibt an, ob automatische Verweisverfolgung aktiviert werden soll."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -6987,7 +7081,7 @@ msgstr ""
 "mit OpenLDAP Version 2.4.13 oder höher kompiliert wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 #, fuzzy
 #| msgid ""
 #| "Chasing referrals may incur a performance penalty in environments that "
@@ -7011,28 +7105,28 @@ msgstr ""
 "merkliche Leistungsverbesserung bringen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "gibt an, welcher Dienstname bei aktivierter Dienstsuche benutzt werden soll."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "Voreinstellung: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -7041,17 +7135,17 @@ msgstr ""
 "soll, der Passwortänderungen bei aktivierter Dienstsuche ermöglicht."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -7060,7 +7154,7 @@ msgstr ""
 "Passwortänderung mit Unix-Zeit geändert wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -7069,12 +7163,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -7104,12 +7198,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Beispiel:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -7121,7 +7215,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -7130,7 +7224,7 @@ msgstr ""
 "beschränkt, deren employeeType-Attribut auf »admin« gesetzt ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -7139,17 +7233,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "Voreinstellung: leer"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -7158,7 +7252,7 @@ msgstr ""
 "Zugriffssteuerungsattribute aktiviert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -7169,12 +7263,12 @@ msgstr ""
 "einem geeigneten Fehlercode zurückweisen, wenn das Passwort korrekt ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "Die folgenden Werte sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -7183,7 +7277,7 @@ msgstr ""
 "»ldap_user_shadow_expire«, um zu bestimmen, ob das Konto abgelaufen ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -7196,7 +7290,7 @@ msgstr ""
 "gewährt. Außerdem wird die Ablaufzeit des Kontos geprüft."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -7207,7 +7301,7 @@ msgstr ""
 "Zugriff erlaubt wird oder nicht."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -7220,7 +7314,7 @@ msgstr ""
 "Zugriff gewährt wird. Falls diese Attribute fehlen, wird Zugriff erteilt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -7231,24 +7325,24 @@ msgstr ""
 "»ldap_account_expire_policy« funktioniert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "durch Kommata getrennte Liste von Zugriffssteuerungsoptionen. Folgende Werte "
 "sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: verwendet »ldap_access_filter«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -7258,14 +7352,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -7278,12 +7372,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: verwendet »ldap_account_expire_policy«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -7293,7 +7387,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -7303,20 +7397,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -7325,33 +7419,33 @@ msgstr ""
 "»authorizedService«, um zu bestimmen, ob Zugriff gewährt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: verwendet das Attribut »host«, um zu bestimmen, "
 "ob Zugriff gewährt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Voreinstellung: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -7360,12 +7454,12 @@ msgstr ""
 "mehr als einmal benutzt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -7374,22 +7468,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -7398,12 +7492,12 @@ msgstr ""
 "folgenden Optionen sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis>: Alias werden nie dereferenziert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -7413,7 +7507,7 @@ msgstr ""
 "Suche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -7422,7 +7516,7 @@ msgstr ""
 "der Suche dereferenziert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -7431,7 +7525,7 @@ msgstr ""
 "Orten des Basisobjekts der Suche dereferenziert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -7440,12 +7534,12 @@ msgstr ""
 "<emphasis>never</emphasis> gehandhabt.)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -7454,7 +7548,7 @@ msgstr ""
 "beizubehalten, die das Schema RFC2307 benutzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -7472,7 +7566,7 @@ msgstr ""
 "getpw*() oder initgroups() abzurufen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -7483,50 +7577,50 @@ msgstr ""
 "die lokalen Benutzer um zusätzliche LDAP-Gruppen erweitert werden."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "debug_level (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "debug_level (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 #, fuzzy
 #| msgid "Default: 0 (disabled)"
 msgid "Default: 0 (libldap debugging disabled)"
@@ -7545,12 +7639,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "SUDO-OPTIONEN"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -7561,12 +7655,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -7576,7 +7670,7 @@ msgstr ""
 "heruntergeladen werden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -7585,24 +7679,24 @@ msgstr ""
 "emphasis> sein."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "Voreinstellung: 21600 (6 Stunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -7610,7 +7704,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -7619,7 +7713,7 @@ msgstr ""
 "das Attribut »modifyTimestamp« benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -7629,21 +7723,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 #, fuzzy
 #| msgid "ldap_idmap_range_size (integer)"
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_idmap_range_size (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -7651,7 +7745,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -7659,17 +7753,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -7679,12 +7773,12 @@ msgstr ""
 "Netzwerkadressen und Rechnernamen)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -7693,7 +7787,7 @@ msgstr ""
 "Domain-Namen, die zum Filtern der Regeln benutzt werden sollen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -7702,8 +7796,8 @@ msgstr ""
 "voll qualifizierten Domain-Namen automatisch herauszufinden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -7712,17 +7806,17 @@ msgstr ""
 "emphasis> ist, hat diese Option keine Auswirkungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr "Voreinstellung: nicht angegeben"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -7731,7 +7825,7 @@ msgstr ""
 "Netzwerkadressen, die zum Filtern der Regeln benutzt werden sollen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -7740,12 +7834,12 @@ msgstr ""
 "herauszufinden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -7754,12 +7848,12 @@ msgstr ""
 "eine Netzgruppe im Attribut »sudoHost« enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -7768,14 +7862,14 @@ msgstr ""
 "einen Platzhalter im Attribut »sudoHost« enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -7788,59 +7882,59 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "AUTOFS-OPTIONEN"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "Der Name der Automount-Master-Abbildung in LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr "Voreinstellung: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "ERWEITERTE OPTIONEN"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7849,22 +7943,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7873,14 +7967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "BEISPIEL"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7891,7 +7985,7 @@ msgstr ""
 "gesetzt ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7904,27 +7998,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7940,13 +8034,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ANMERKUNGEN"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9052,7 +9146,7 @@ msgstr ""
 "Lokale Gruppen werden nicht ausgewertet."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -10121,7 +10215,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (Boolesch)"
 
@@ -10136,7 +10230,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -10158,12 +10252,12 @@ msgstr ""
 "Konfigurationsdatei migrieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -10192,12 +10286,12 @@ msgid "Default: 1200 (seconds)"
 msgstr "Voreinstellung: 1200 (Sekunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -10225,17 +10319,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -10243,19 +10337,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_iface (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -10263,7 +10357,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -10273,7 +10367,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr "aktiviert DNS-Sites – standortbasierte Dienstsuche"
 
@@ -10298,7 +10392,7 @@ msgstr ""
 "gefundenen als Sicherungsserver."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (Ganzzahl)"
 
@@ -10314,12 +10408,12 @@ msgstr ""
 "Diese Option ist optional und nur anwendbar, wenn »dyndns_update« »true« ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -10344,12 +10438,12 @@ msgid "Default: False (disabled)"
 msgstr "Voreinstellung: False (deaktiviert)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -10358,48 +10452,48 @@ msgstr ""
 "DNS-Server verwenden soll"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Voreinstellung: False (lässt Nsupdate das Protokoll auswählen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -10552,26 +10646,26 @@ msgstr ""
 "zu verwenden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -10590,7 +10684,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "Voreinstellung: 5 (Sekunden)"
 
@@ -11176,13 +11270,33 @@ msgstr ""
 "Groß- oder Kleinschreibung nicht beachtet, um die Kompatibilität zur LDAP-"
 "Implementation in Active Directory zu gewährleisten."
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -11191,7 +11305,7 @@ msgstr ""
 "nicht angegeben, wird der Name der konfigurierten Domain benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -11201,7 +11315,7 @@ msgstr ""
 "angegeben werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -11210,12 +11324,12 @@ msgstr ""
 "SSSD automatisch ermittelt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -11223,7 +11337,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -11231,7 +11345,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -11239,19 +11353,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -11259,26 +11373,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -11287,7 +11401,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -11295,12 +11409,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -11318,12 +11432,12 @@ msgstr ""
 "Aufdeckung verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -11336,7 +11450,7 @@ msgstr ""
 "quote> gesetzt werden muss, damit sie wirksam ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -11349,7 +11463,7 @@ msgstr ""
 "<quote>FOREST</quote> sein oder auch weggelassen werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -11363,7 +11477,7 @@ msgstr ""
 "<quote>NAME</quote> angegeben ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
@@ -11372,7 +11486,7 @@ msgstr ""
 "so wie es auch in Suchmaschinen üblich ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -11385,7 +11499,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -11399,7 +11513,7 @@ msgstr ""
 "der erste verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -11417,24 +11531,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -11448,7 +11562,7 @@ msgstr ""
 "dem LDAP-Port des aktuellen Servers."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -11463,12 +11577,12 @@ msgstr ""
 "können."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -11482,7 +11596,7 @@ msgstr ""
 "auf <quote>ad</quote> gesetzt werden muss, damit sie wirksam ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -11491,7 +11605,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -11500,7 +11614,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -11510,21 +11624,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -11534,7 +11648,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -11549,12 +11663,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr "Für diese Option werden drei Werte unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
@@ -11562,14 +11676,14 @@ msgstr ""
 "deren Anwendung erzwungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 "enforcing: GPO-basierte Zugriffskontrollregeln werden sowohl ausgewertet als "
 "auch deren Anwendung erzwungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -11581,22 +11695,22 @@ msgstr ""
 "verweigert werden würde, wenn die Option auf »enforcing« gesetzt wäre."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr "Voreinstellung: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -11607,7 +11721,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -11615,80 +11729,80 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "all users are allowed"
 msgstr "Die folgenden Werte sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "only users in allow-rules are allowed"
 msgstr "Die folgenden Werte sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "no users are allowed"
 msgstr "Die folgenden Werte sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -11698,12 +11812,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -11711,12 +11825,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -11732,14 +11846,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -11747,7 +11861,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11759,42 +11873,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -11810,7 +11924,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -11818,7 +11932,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -11826,7 +11940,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11838,22 +11952,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -11869,7 +11983,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -11877,7 +11991,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -11885,7 +11999,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11897,22 +12011,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -11927,14 +12041,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -11942,7 +12056,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11954,23 +12068,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -11986,14 +12100,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -12001,7 +12115,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -12012,19 +12126,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -12032,7 +12146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -12044,29 +12158,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -12074,12 +12188,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -12092,57 +12206,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -12150,17 +12264,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -12170,17 +12284,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -12189,12 +12303,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -12205,14 +12319,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 #, fuzzy
 #| msgid "ldap_sudo_include_netgroups (boolean)"
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "ldap_sudo_include_netgroups (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -12223,7 +12337,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -12238,7 +12352,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -12250,7 +12364,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -12268,19 +12382,19 @@ msgstr ""
 "»dyndns_iface« angegeben wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr "Voreinstellung: 3600 (Sekunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -12290,7 +12404,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -12302,7 +12416,7 @@ msgstr ""
 "Optionen von AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -12326,7 +12440,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -12338,7 +12452,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -12349,7 +12463,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -12359,7 +12473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -18678,16 +18792,30 @@ msgstr "Ersteller-Autorität (Creator Authority)"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
+#, fuzzy
+#| msgid "Creator Authority"
+msgid "Mandatory Label Authority"
+msgstr "Ersteller-Autorität (Creator Authority)"
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:295
+#, fuzzy
+#| msgid "Creator Authority"
+msgid "Authentication Authority"
+msgstr "Ersteller-Autorität (Creator Authority)"
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
 msgid "NT Authority"
 msgstr "NT-Autorität (NT Authority)"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
-#: include/ldap_id_mapping.xml:295
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr "Eingebaut"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
@@ -18697,16 +18825,27 @@ msgstr ""
 "Sicherheits-ID zurückgegeben wird."
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
+#, fuzzy
+#| msgid ""
+#| "Since some utilities allow to modify SID based access control information "
+#| "with the help of a name instead of using the SID directly SSSD supports "
+#| "to look up the SID by the name as well. To avoid collisions only the "
+#| "fully qualified names can be used to look up Well-Known SIDs. As a result "
+#| "the domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</"
+#| "quote>, <quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</"
+#| "quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not "
+#| "be used as domain names in <filename>sssd.conf</filename>."
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 "Da einige Dienstprogramme die Änderung der Sicherheits-ID-basierten "
 "Zugriffskontrollinformationen mit Hilfe des Namens ermöglichen, anstelle die "
@@ -19473,13 +19612,38 @@ msgstr ""
 "übergreifendem Vertrauen benutzt werden, indem der dazugehörige Keytab-"
 "Eintrag als letzter oder einziger Eintrag in der Keytab-Datei abgelegt wird."
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+#, fuzzy
+#| msgid "Default: false (AD provider: true)"
+msgid "Default: false (IPA and AD provider: true)"
+msgstr "Voreinstellung: falsch (AD-Anbieter: wahr)"
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"Weitere Einzelheiten finden Sie in der Handbuchseite <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> beim Parameter »dns_discovery_domain«."
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (Zeichenkette)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
@@ -19488,37 +19652,37 @@ msgstr ""
 "Ganzzahl, der direkt eine Zeiteinheit folgt, angegeben:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr "<emphasis>s</emphasis> für Sekunden"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr "<emphasis>m</emphasis> für Minuten"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr "<emphasis>h</emphasis> für Stunden"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr "<emphasis>d</emphasis> für Tage"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 "Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
@@ -19528,17 +19692,17 @@ msgstr ""
 "»1h30m«."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr "Voreinstellung: nicht gesetzt, d.h. das TGT ist nicht erneuerbar."
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (Zeichenkette)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
@@ -19547,13 +19711,13 @@ msgstr ""
 "eine Zeiteinheit folgt:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 "Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
@@ -19562,7 +19726,7 @@ msgstr ""
 "eineinhalb Stunden zu setzen, verwenden Sie »90m« statt »1h30m«."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
@@ -19570,12 +19734,12 @@ msgstr ""
 "der Schlüsselverwaltungszentrale (KDC)"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr "krb5_renew_interval (Zeichenkette)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -19587,14 +19751,14 @@ msgstr ""
 "folgt, angegeben:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 "Falls diese Option nicht oder auf 0 gesetzt ist, wird die automatische "
 "Erneuerung deaktiviert."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/es.po b/src/man/po/es.po
index 4d2308b0ab5..d70f25a5ee5 100644
--- a/src/man/po/es.po
+++ b/src/man/po/es.po
@@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2021-10-27 15:05+0000\n"
 "Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
 "Language-Team: Spanish <https://translate.fedoraproject.org/projects/sssd/"
@@ -262,10 +262,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Predeterminado: true"
 
@@ -286,12 +286,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Predeterminado: false"
 
@@ -330,8 +330,8 @@ msgstr ""
 "configuración no tiene efecto para otro tipo de registros)."
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -364,7 +364,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Predeterminado: 10"
 
@@ -456,8 +456,8 @@ msgstr ""
 "de datos del  proveedor, o de reiniciarse antes de abandonar"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Predeterminado: 3"
 
@@ -484,7 +484,7 @@ msgstr ""
 "\"/\" está prohibido."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (cadena)"
 
@@ -509,12 +509,12 @@ msgstr ""
 "las SECCIONES DOMINIO para mas información sobre estas expresiones regulares."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -526,33 +526,33 @@ msgstr ""
 "dominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "nombre de usuario"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 "nombre de dominio como se especifica en el fichero de configuración SSSD"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -562,7 +562,7 @@ msgstr ""
 "medio de IPA de confianza."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -748,11 +748,11 @@ msgstr ""
 "cuando se use la opción default_domain_suffix."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "Predeterminado: no definido"
 
@@ -1090,8 +1090,8 @@ msgstr ""
 "casos donde los nombres de usuarios se deben compartir entre dominios."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "Por defecto: No definido"
 
@@ -1273,7 +1273,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Predeterminado: 60"
 
@@ -1392,7 +1392,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Predeterminado: 300"
 
@@ -1846,7 +1846,7 @@ msgstr ""
 "cache serán validos. Fijando esta opción o cero deshabilita la memoria cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr "Predeterminado: 8"
 
@@ -1887,8 +1887,8 @@ msgstr ""
 "cache serán validos. Fijando esta opción o cero deshabilita la memoria cache."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Predeterminado: 6"
@@ -2270,7 +2270,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr "Mostrar una advertencia N días antes que la contraseña caduque."
 
@@ -2286,7 +2286,7 @@ msgstr ""
 "información desaparece, sssd no podrá mostrar un aviso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -2305,7 +2305,7 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> para un dominio concreto."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Predeterminado: 0"
 
@@ -2382,8 +2382,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Predeterminado: none"
 
@@ -2462,9 +2462,9 @@ msgstr ""
 "de autenticación esta opción está deshabilitada por defecto."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "Por defecto: False"
 
@@ -2479,7 +2479,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr "Predeterminado:"
 
@@ -2610,50 +2610,50 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 "Predeterminado: el conjunto predeterminado de nombres de servicio PAM "
 "incluye:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr "login"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr "su"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr "su-l"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr "gdm-smartcard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr "gdm-password"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr "sudo-i"
 
@@ -2795,7 +2795,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 #, fuzzy
 #| msgid "pam_app_services (string)"
 msgid "pam_gssapi_services"
@@ -2838,7 +2838,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -2848,7 +2848,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2868,7 +2868,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Predeterminado: True"
@@ -3298,25 +3298,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "ldap_schema (cadena)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -3324,73 +3335,77 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Son soportadas las siguientes expresiones: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr "Opciones de configuración de la grabación de sesión"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -3406,32 +3421,32 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr "Se pueden usar estas opciones para configurar la grabación de sesión."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr "scope (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr "\"none\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr "NO se grabaron usuarios."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr "\"some\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
@@ -3440,17 +3455,17 @@ msgstr ""
 "replaceable> y<replaceable>groups</replaceable> son grabados."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr "\"all\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr "Se graban todos los usuarios."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
@@ -3459,17 +3474,17 @@ msgstr ""
 "grabación: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr "Predeterminado: \"none\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr "users (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3481,17 +3496,17 @@ msgstr ""
 "mayúsculas/minúsculas, etc."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr "Predeterminado: Vacío. No hay usuarios coincidentes."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr "groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3503,7 +3518,7 @@ msgstr ""
 "minúsculas, etc."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3516,64 +3531,64 @@ msgstr ""
 "pertenece el usuario."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr "Predeterminado: Vacío. No empareja grupos."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "users (string)"
 msgid "exclude_users (string)"
 msgstr "users (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 #, fuzzy
 #| msgid "Default: Empty. Matches no users."
 msgid "Default: Empty. No users excluded."
 msgstr "Predeterminado: Vacío. No hay usuarios coincidentes."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "groups (string)"
 msgid "exclude_groups (string)"
 msgstr "groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 #, fuzzy
 #| msgid "Default: Empty. Matches no groups."
 msgid "Default: Empty. No groups excluded."
 msgstr "Predeterminado: Vacío. No empareja grupos."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "SECCIONES DE DOMINIO"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3583,12 +3598,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr "domain_type (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3601,7 +3616,7 @@ msgstr ""
 "disponibles para las interfaces y utilidades de sistema operativo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
@@ -3610,7 +3625,7 @@ msgstr ""
 "<quote>application</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3623,7 +3638,7 @@ msgstr ""
 "manvolnum> </citerefentry>) y el contestador PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
@@ -3632,7 +3647,7 @@ msgstr ""
 "<quote>id_provider=ldap</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
@@ -3641,17 +3656,17 @@ msgstr ""
 "<quote>Dominios aplicación</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr "Predeterminado: posix"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id, max_id (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3660,7 +3675,7 @@ msgstr ""
 "está fuera de estos límites, ésta es ignorada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3673,7 +3688,7 @@ msgstr ""
 "reportados como en espera."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -3682,17 +3697,17 @@ msgstr ""
 "devolviéndolas por nombre o ID."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Predeterminado: 1 para min_id, 0 (sin límite) para max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerar (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3705,22 +3720,22 @@ msgstr ""
 "Este parámetros puede tener uno de los siguientes valores:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Usuarios y grupos son enumerados"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = Sin enumeraciones para este dominio"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Predeterminado: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
@@ -3729,7 +3744,7 @@ msgstr ""
 "entradas de usuario y grupo del servidor remoto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3753,7 +3768,7 @@ msgstr ""
 "guardián interno."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3763,7 +3778,7 @@ msgstr ""
 "completen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3777,7 +3792,7 @@ msgstr ""
 "específico id_provider en uso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -3786,32 +3801,32 @@ msgstr ""
 "especialmente en entornos grandes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Se enumerarán todos los dominios de confianza descubiertos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr "No serán enumerados dominios de confianza descubiertos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3824,12 +3839,12 @@ msgstr ""
 "enumeración solo para estos dominios de confianza."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3838,7 +3853,7 @@ msgstr ""
 "volver a consultar al backend"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3856,17 +3871,17 @@ msgstr ""
 "están en la caché."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Predeterminado: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -3875,19 +3890,19 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "Por defecto: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -3896,12 +3911,12 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -3910,12 +3925,12 @@ msgstr ""
 "válidas antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -3924,24 +3939,24 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -3950,12 +3965,12 @@ msgstr ""
 "preguntar al backend otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -3964,12 +3979,12 @@ msgstr ""
 "automontaje válidos antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -3978,24 +3993,24 @@ msgstr ""
 "cuanto guardar en caché la clave de host."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -4005,7 +4020,7 @@ msgstr ""
 "expirados o a punto de hacerlo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -4018,18 +4033,18 @@ msgstr ""
 "login), tanto la entrada usuario y la membresia de grupo son actualizados."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 "Esta opción se hereda automáticamente para todos los dominios de confianza."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr "Usted puede considerar ajustar este valor a 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -4041,37 +4056,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "Predeterminado: 0 (deshabilitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Determina si las credenciales del usuario están también escondidas en el "
 "cache LDB local"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Las credenciales de usuario son almacenadas en un hash SHA512, no en texto "
 "plano"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr "cache_credentials_minimal_first_factor_length (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -4083,7 +4098,7 @@ msgstr ""
 "SHA512 en el caché."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
@@ -4093,12 +4108,12 @@ msgstr ""
 "bruta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -4111,17 +4126,17 @@ msgstr ""
 "grande o igual que offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Predeterminado: 0 (ilimitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -4134,17 +4149,17 @@ msgstr ""
 "configurar un proveedor de autorización para el backend."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Por defecto: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -4152,12 +4167,12 @@ msgstr ""
 "soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr "<quote>proxy</quote>: Soporta un proveedor NSS heredado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4169,7 +4184,7 @@ msgstr ""
 "grupos locales en SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4180,8 +4195,8 @@ msgstr ""
 "información sobre la configuración de LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -4194,8 +4209,8 @@ msgstr ""
 "configuración de FreeIPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4207,12 +4222,12 @@ msgstr ""
 "Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -4222,7 +4237,7 @@ msgstr ""
 "NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -4236,7 +4251,7 @@ msgstr ""
 "command> lo haría."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -4248,24 +4263,24 @@ msgstr ""
 "cualificado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr "No devuelve miembros de grupo para búsquedas de grupo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -4284,7 +4299,7 @@ msgstr ""
 "devolver el grupo pedido como si estuviera vacío."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -4294,13 +4309,24 @@ msgstr ""
 "proveedor ara membresía de grupo significativamente más rápidas, "
 "especialmente para grupos que contienen muchos miembros."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -4309,7 +4335,7 @@ msgstr ""
 "autenticación soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4320,7 +4346,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4331,7 +4357,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -4339,12 +4365,12 @@ msgstr ""
 "objetivo PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> deshabilita la autenticación explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -4353,12 +4379,12 @@ msgstr ""
 "manejar las peticiones de autenticación."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -4369,7 +4395,7 @@ msgstr ""
 "proveedores especiales internos son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -4378,12 +4404,12 @@ msgstr ""
 "sólo permitido para un dominio local."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> siempre niega el acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -4396,7 +4422,7 @@ msgstr ""
 "configuración del módulo de acceso sencillo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -4408,23 +4434,23 @@ msgstr ""
 "Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 "<quote>proxy</quote> para transmitir control de acceso a otro módulo PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "Predeterminado: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -4433,7 +4459,7 @@ msgstr ""
 "el dominio. Los proveedores de cambio de passweord soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4445,7 +4471,7 @@ msgstr ""
 "configuración de LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4456,7 +4482,7 @@ msgstr ""
 "citerefentry> para más información sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -4464,13 +4490,13 @@ msgstr ""
 "otros objetivos PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 "<quote>none</quote> deniega explícitamente los cambios en la contraseña."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -4479,18 +4505,18 @@ msgstr ""
 "puede manejar las peticiones de cambio de password."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "El proveedor SUDO usado por el dominio. Los proveedores SUDO soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4501,7 +4527,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -4510,7 +4536,7 @@ msgstr ""
 "predeterminados IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -4519,19 +4545,19 @@ msgstr ""
 "predeterminados AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote>deshabilita SUDO explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Por defecto: el valor de <quote>id_provider</quote> se usa si está fijado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -4548,7 +4574,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -4562,12 +4588,12 @@ msgstr ""
 "desea usar sudo cn SSSD mas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -4578,7 +4604,7 @@ msgstr ""
 "finalice. Los proveedores selinux soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4590,14 +4616,14 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> deshabilita ir a buscar los ajustes selinux "
 "explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -4606,12 +4632,12 @@ msgstr ""
 "manejar las peticiones de carga selinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -4621,7 +4647,7 @@ msgstr ""
 "soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4633,7 +4659,7 @@ msgstr ""
 "configuración de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4646,18 +4672,18 @@ msgstr ""
 "configuración del proveedor AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 "<quote>none</quote> deshabilita el buscador de subdominios explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr "session_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4669,14 +4695,14 @@ msgstr ""
 "de sesiones soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 "<quote>ipa</quote> para permitir llevar a cabo tareas relacionadas con la "
 "sesión de usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
@@ -4684,7 +4710,7 @@ msgstr ""
 "de usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
@@ -4693,7 +4719,7 @@ msgstr ""
 "llevar a cabo tareas relacionadas con la sesión de usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
@@ -4703,12 +4729,12 @@ msgstr ""
 "sin privilegios."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -4716,7 +4742,7 @@ msgstr ""
 "son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4728,7 +4754,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4740,7 +4766,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4752,17 +4778,17 @@ msgstr ""
 "proveedor AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> deshabilita autofs explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -4771,7 +4797,7 @@ msgstr ""
 "proveedores de hostid soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4783,31 +4809,31 @@ msgstr ""
 "configuración de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> deshabilita hostid explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4815,7 +4841,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4824,12 +4850,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4844,7 +4870,7 @@ msgstr ""
 "dominios Active Directory, el nombre plano (NetBIOS) del dominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 #, fuzzy
 #| msgid ""
 #| "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
@@ -4863,22 +4889,22 @@ msgstr ""
 "nombres de usuario:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "nombre de usuario"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr "dominio/nombre_de_usuario"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -4888,7 +4914,7 @@ msgstr ""
 "dominios Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4899,17 +4925,17 @@ msgstr ""
 "el nombre, el dominio es el resto detrás de este signo\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Predeterminado: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -4918,58 +4944,57 @@ msgstr ""
 "a usar cuando se lleven a cabo búsquedas DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "Valores soportados:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr "ipv4_first: Intenta buscar dirección IPv4, si falla, intenta IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: Sólo intenta resolver nombres de host a direccones IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr "ipv6_first: Intenta buscar dirección IPv6, si falla, intenta IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: Sólo intenta resolver nombres de host a direccones IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "Predeterminado: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
@@ -4978,33 +5003,32 @@ msgstr ""
 "información sobre la resolución del servicio."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "Predeterminado: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -5017,12 +5041,12 @@ msgstr ""
 "trabajando en modo offline."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -5031,55 +5055,55 @@ msgstr ""
 "de dominio de la pregunta al descubridor de servicio DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Predeterminado: Utilizar la parte del dominio del nombre de host del equipo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr "Anula el valor primario GID con el especificado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 "Distingue mayúsculas y minúsculas. Este valor es invalido para el proveedor "
 "AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr "No sensible a mayúsculas minúsculas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -5091,14 +5115,14 @@ msgstr ""
 "protocolo) están en minúsculas en la salida."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 #, fuzzy
 #| msgid ""
 #| "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
@@ -5109,24 +5133,17 @@ msgstr ""
 "Las opciones disponibles son: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr "Predeterminado: True (False para proveedor AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -5138,57 +5155,134 @@ msgstr ""
 "siguientes opciones:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_expire_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+"ldap_krb5_keytab (se deberá usar el valor de krb5_keytab si no se ha fijado "
+"explícitamente ldap_krb5_keytab)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_expire_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_expire_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
-msgstr ""
-"ldap_krb5_keytab (se deberá usar el valor de krb5_keytab si no se ha fijado "
-"explícitamente ldap_krb5_keytab)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
+msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 #, fuzzy
 #| msgid "auto_private_groups (string)"
 msgid "auto_private_groups"
 msgstr "auto_private_groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 #, fuzzy
 #| msgid "Case insensitive."
 msgid "case_sensitive"
 msgstr "No sensible a mayúsculas minúsculas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -5198,27 +5292,27 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Aviso: Esta opción solo trabaja con el proveedor IPA y AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "flat (NetBIOS) nombre de un subdominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -5234,7 +5328,7 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -5242,17 +5336,17 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Por defecto: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -5260,12 +5354,12 @@ msgstr ""
 "este dominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr "cached_auth_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -5278,7 +5372,7 @@ msgstr ""
 "incorrectas, SSSD cae de nuevo a la autenticación en linea."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
@@ -5288,12 +5382,12 @@ msgstr ""
 "confianza."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr "El valor especial 0 implica que esta función está deshabilitada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -5304,17 +5398,17 @@ msgstr ""
 "gestionar <quote>initgroups.</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr "auto_private_groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr "true"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
@@ -5323,7 +5417,7 @@ msgstr ""
 "usuario.  El número GID se ignora en este caso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -5336,12 +5430,12 @@ msgstr ""
 "unicidad den el espacio de ID."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr "false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
@@ -5350,12 +5444,12 @@ msgstr ""
 "a un  objeto grupo en las base de datos LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr "hybrid"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -5370,7 +5464,7 @@ msgstr ""
 "grupo, el GID primario del usuario se resuelve al de ese objeto grupo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
@@ -5379,7 +5473,7 @@ msgstr ""
 "una entrada de grupo, de otro modo el GID simplemente no se puede resolver."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -5390,7 +5484,7 @@ msgstr ""
 "también desea retener los grupos privados existentes del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -5399,7 +5493,7 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
@@ -5408,7 +5502,7 @@ msgstr ""
 "POSIX IDs asignados y True para subdominios que usan mapeo de ID automático."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -5418,7 +5512,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -5430,7 +5524,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -5444,7 +5538,7 @@ msgstr ""
 "type=\"programlisting\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -5456,17 +5550,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "El proxy de destino PAM próximo a."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -5475,12 +5569,12 @@ msgstr ""
 "pam existente o crear una nueva y añadir el nombre de servicio aquí."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -5491,12 +5585,12 @@ msgstr ""
 "_nss_$(libName)_$(function), por ejemplo _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -5504,12 +5598,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -5523,12 +5617,12 @@ msgstr ""
 "razones de rendimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr "proxy_max_children (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -5540,7 +5634,7 @@ msgstr ""
 "son encoladas."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -5549,12 +5643,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr "Dominios de aplicaciones"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -5583,7 +5677,7 @@ msgstr ""
 "que opcionalmente herede ajustes de un dominio SSSD tradicional."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -5595,17 +5689,17 @@ msgstr ""
 "establecido correctamente."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr "Parámetros de dominio de aplicación"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr "inherit_from (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -5618,7 +5712,7 @@ msgstr ""
 "<quote>hermano</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -5633,7 +5727,7 @@ msgstr ""
 "cache y hace al atributo phone alcanzable a través del interfaz D-Bus."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5667,12 +5761,12 @@ msgstr ""
 "ldap_user_extra_attrs = phone:telephoneNumber\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr "SECCIÓN DE DOMINIO DE CONFIANZA"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -5689,57 +5783,57 @@ msgstr ""
 "soportadas en la sección de dominio de confianza son:"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr "ldap_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr "ldap_user_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr "ldap_group_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr "ldap_netgroup_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr "ldap_service_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr "ldap_sasl_mech,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr "ad_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr "ad_backup_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr "ad_site,"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr "use_fully_qualified_names"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
@@ -5748,12 +5842,12 @@ msgstr ""
 "página de manual."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr "SECCIÓN DE MAPEO DEL CERTIFICADO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -5775,7 +5869,7 @@ msgstr ""
 "usan autenticación PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -5787,7 +5881,7 @@ msgstr ""
 "citerefentry>)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -5801,12 +5895,12 @@ msgstr ""
 "opciones:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr "matchrule (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
@@ -5815,7 +5909,7 @@ msgstr ""
 "procesados, los demás son ignorados."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
@@ -5824,17 +5918,17 @@ msgstr ""
 "tengan Extended Key Usage <quote>clientAuth</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr "maprule (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr "Define como se encuentra un usuario desde un certificado dado."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
@@ -5843,7 +5937,7 @@ msgstr ""
 "como <quote>ldap</quote>, <quote>AD</quote> o <quote>ipa</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
@@ -5852,12 +5946,12 @@ msgstr ""
 "encontrar un usuario con el mismo nombre."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr "domains (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5870,17 +5964,17 @@ msgstr ""
 "usada para añadir la regla a los subdominios también."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr "Predetermiado: el dominio configurado en sssd.conf"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr "priority (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5891,12 +5985,12 @@ msgstr ""
 "más alte mientras que <quote>4294967295</quote> es la más baja."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr "Predeterminado: la prioridad más baja"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
@@ -5906,7 +6000,7 @@ msgstr ""
 "propiedades especiales:"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
@@ -5915,7 +6009,7 @@ msgstr ""
 "usuario coincidente"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -5928,17 +6022,17 @@ msgstr ""
 "short_name})</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr "la opción <quote>domains</quote> es ignorada"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr "SECCIÓN DE CONFIGURACIÓN INICIAL"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -5953,7 +6047,7 @@ msgstr ""
 "al usuario las credenciales apropiadas."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -5966,22 +6060,22 @@ msgstr ""
 "Las siguientes opciones deberían suministrar una mejor flexibilidad aquí."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr "[prompting/password]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr "password_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr "cambiar la cadena de solicitud de contraseña"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -5990,37 +6084,37 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr "[prompting/2fa]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr "first_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr "para cambiar la cadena de la solicitud del primer factor"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr "second_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr "para cambiar la cadena de la solicitud para el segundo factor"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr "single_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 #, fuzzy
 #| msgid ""
 #| "boolean value, if True there will be only a single prompt using the value "
@@ -6037,7 +6131,7 @@ msgstr ""
 "única cadena"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -6046,7 +6140,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -6059,7 +6153,7 @@ msgstr ""
 "type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -6070,12 +6164,12 @@ msgstr ""
 "pregunta para este servicio."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr "EJEMPLOS"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -6129,7 +6223,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -6142,7 +6236,7 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -6152,7 +6246,7 @@ msgstr ""
 "use_fully_qualified_names = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -6169,7 +6263,7 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -6191,7 +6285,7 @@ msgstr ""
 "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -6274,7 +6368,7 @@ msgstr ""
 "información sobre la utilización de LDAP como proveedor de acceso."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -6395,7 +6489,7 @@ msgstr ""
 "http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Ejemplos:"
@@ -6648,12 +6742,12 @@ msgstr ""
 "escondrijo de los registros enumerados."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -6664,7 +6758,7 @@ msgstr ""
 "para guardar espacio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -6678,12 +6772,12 @@ msgstr ""
 "correrá cada tres horas con la enumeración habilitada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -6695,7 +6789,7 @@ msgstr ""
 "esquema RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -6711,7 +6805,7 @@ msgstr ""
 "conjunto de resultados de la búsqueda origina si se requiere."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -6727,12 +6821,12 @@ msgstr ""
 "grupos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "Predeterminado: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -6742,22 +6836,22 @@ msgstr ""
 "posteriores."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr "Predeterminado: True para AD e IPA en otro caso False."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr "ldap_host_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr "Opcional. Usa la cadena dada como base de búsqueda para objetos host."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -6767,32 +6861,32 @@ msgstr ""
 "de múltiples bases de búsqueda."
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Predeterminado: el valor de <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -6803,7 +6897,7 @@ msgstr ""
 "escondidos devueltos (y se entra en modo fuera de línea)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -6814,12 +6908,12 @@ msgstr ""
 "espera para tipos específicos de búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -6831,12 +6925,12 @@ msgstr ""
 "fuera de línea)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -6853,12 +6947,12 @@ msgstr ""
 "citerefentry> vuelve en caso de no actividad."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -6872,12 +6966,12 @@ msgstr ""
 "cambio extendido de contraseña y las operación StartTLS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -6890,7 +6984,7 @@ msgstr ""
 "temprano (este valor contra el tiempo de vida TGT)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -6901,38 +6995,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "Predeterminado: 900 (15 minutos)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 #, fuzzy
 #| msgid ""
 #| "Specifies a timeout (in seconds) that a connection to an LDAP server will "
@@ -6950,17 +7044,17 @@ msgstr ""
 "temprano (este valor contra el tiempo de vida TGT)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -6969,12 +7063,12 @@ msgstr ""
 "Algunos servidores LDAP hacen cumplir un límite máximo por petición."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -6985,7 +7079,7 @@ msgstr ""
 "RootDSE pero no está habilitado o no se comporta apropiadamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -6995,7 +7089,7 @@ msgstr ""
 "pero es incapaz de usarlo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -7006,17 +7100,17 @@ msgstr ""
 "puede ocasionar que algunas peticiones sean denegadas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr "Deshabilitar la recuperación del rango de Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -7032,12 +7126,12 @@ msgstr ""
 "miembros."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -7048,19 +7142,19 @@ msgstr ""
 "de esta opción son definidos por OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Por defecto: Usa el sistema por defecto (normalmente especificado por ldap."
 "conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -7068,12 +7162,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -7084,7 +7178,7 @@ msgstr ""
 "deference. Si hay menos miembros desaparecidos, se buscarán individualmente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -7101,7 +7195,7 @@ msgstr ""
 "lo soporta y auncia el control de la desreferencia en el objeto rootDSE."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -7114,7 +7208,7 @@ msgstr ""
 "soportados son 389/RHDS, OpenLDAP y Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -7125,14 +7219,14 @@ msgstr ""
 "será deshabilitado sin tener en cuenta este ajuste."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 #, fuzzy
 #| msgid "ad_gpo_ignore_unreadable (boolean)"
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr "ad_gpo_ignore_unreadable (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -7140,7 +7234,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -7148,12 +7242,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -7163,7 +7257,7 @@ msgstr ""
 "los siguientes valores:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -7172,7 +7266,7 @@ msgstr ""
 "certificado de servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7183,7 +7277,7 @@ msgstr ""
 "certificado malo, será ignorado y la sesión continua normalmente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7194,7 +7288,7 @@ msgstr ""
 "certificado malo, la sesión se termina inmediatamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -7205,22 +7299,22 @@ msgstr ""
 "termina inmediatamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "Predeterminado: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -7229,7 +7323,7 @@ msgstr ""
 "de Certificación que <command>sssd</command> reconocerá."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -7238,12 +7332,12 @@ msgstr ""
 "etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -7257,33 +7351,33 @@ msgstr ""
 "para crear los nombres correctos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 "Especifica el fichero que contiene el certificado para la clave del cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr "Especifica el archivo que contiene la clave del cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -7294,12 +7388,12 @@ msgstr ""
 "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -7308,12 +7402,12 @@ msgstr ""
 "<systemitem class=\"protocol\">tls</systemitem> para proteger el canal."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -7324,18 +7418,18 @@ msgstr ""
 "ldap_user_uid_number y ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "Actualmente está función soporta sólo mapeos de objectSID de ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr "ldap_min_id, ldap_max_id (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -7353,17 +7447,17 @@ msgstr ""
 "el servidor. Los subdominios pueden elegir otros rangos para asignar IDs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr "Predeterminado: no establecido (ambas opciones se establecen a 0)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
@@ -7372,7 +7466,7 @@ msgstr ""
 "soportados GSSAPI y GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -7389,12 +7483,12 @@ msgstr ""
 "manvolnum></citerefentry> para más detalles."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -7414,7 +7508,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -7434,17 +7528,17 @@ msgstr ""
 "principal en la pestaña."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr "Por defecto: host/nombre_de_host@REALM"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -7455,17 +7549,17 @@ msgstr ""
 "reino también, esta opción se ignora."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "Por defecto: el valor de krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -7474,34 +7568,34 @@ msgstr ""
 "para para canocalizar el nombre de host durante una unión SASL."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Predeterminado: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr "Especifica la pestaña a usar cuando se utiliza SASL/GSSAPI/GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Por defecto: Keytab del sistema, normalmente <filename>/etc/krb5.keytab</"
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -7512,12 +7606,12 @@ msgstr ""
 "es GSSAPI o GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
@@ -7525,17 +7619,17 @@ msgstr ""
 "SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Predeterminado: 86400 (24 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -7554,7 +7648,7 @@ msgstr ""
 "información, vea la sección <quote>SERVICE DISCOVERY</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -7565,7 +7659,7 @@ msgstr ""
 "regresa a _tcp si no se encuentra nada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -7577,30 +7671,30 @@ msgstr ""
 "configuración para usar <quote>krb5_server</quote> en su lugar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 "Especifica el REALM Kerberos (para autorización SASL/GSSAPI/GSS-SPNEGO)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Predeterminado: Predeterminados del sistema, vea <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -7609,12 +7703,12 @@ msgstr ""
 "servidor LDAP. Esta función está disponible con MIT Kerberos >= 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -7629,7 +7723,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -7641,12 +7735,12 @@ msgstr ""
 "localizador."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -7655,7 +7749,7 @@ msgstr ""
 "del cliente. Los siguientes valores son permitidos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -7664,7 +7758,7 @@ msgstr ""
 "no puede deshabilitar las políticas de password en el lado servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 #, fuzzy
 #| msgid ""
 #| "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
@@ -7681,7 +7775,7 @@ msgstr ""
 "manvolnum></citerefentry> para evaluar si la contraseña ha expirado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -7693,7 +7787,7 @@ msgstr ""
 "password."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -7703,19 +7797,19 @@ msgstr ""
 "establecida por esta opción."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 "Especifica si el seguimiento de referencias automático debería ser "
 "habilitado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -7724,7 +7818,7 @@ msgstr ""
 "está compilado con OpenLDAP versión 2.4.13 o más alta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 #, fuzzy
 #| msgid ""
 #| "Chasing referrals may incur a performance penalty in environments that "
@@ -7747,29 +7841,29 @@ msgstr ""
 "esta opción a false le llevará a una notable mejora de rendimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Especifica el nombre del servicio para utilizar cuando está habilitado el "
 "servicio de descubrimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "Predeterminado: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -7779,17 +7873,17 @@ msgstr ""
 "descubrimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -7798,7 +7892,7 @@ msgstr ""
 "desde el Epoch después de una operación de cambio de contraseña."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -7807,12 +7901,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -7840,12 +7934,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Ejemplo:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -7857,7 +7951,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -7866,7 +7960,7 @@ msgstr ""
 "usuarios cuyo atributo employeeType esté establecido a \"admin\"."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -7879,17 +7973,17 @@ msgstr ""
 "se les seguirán otorgando acceso sin conexión y viceversa."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "Predeterminado: vacío"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -7898,7 +7992,7 @@ msgstr ""
 "control de acceso del lado cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -7909,12 +8003,12 @@ msgstr ""
 "una código de error definible aunque el password sea correcto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "Los siguientes valores están permitidos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -7923,7 +8017,7 @@ msgstr ""
 "determinar si la cuenta ha expirado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -7936,7 +8030,7 @@ msgstr ""
 "se comprueba el tiempo de expiración de la cuenta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -7947,7 +8041,7 @@ msgstr ""
 "el acceso o no."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -7960,7 +8054,7 @@ msgstr ""
 "permitido. Si ambos atributos están desaparecidos se concede el acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -7971,24 +8065,24 @@ msgstr ""
 "la opción ldap_account_expire_policy funcione."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Lista separada por coma de opciones de control de acceso.  Los valores "
 "permitidos son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filtro</emphasis>: utilizar ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -8004,7 +8098,7 @@ msgstr ""
 "funciones."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
@@ -8014,7 +8108,7 @@ msgstr ""
 "</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -8036,12 +8130,12 @@ msgstr ""
 "estar establecido para que esta característica funcione."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>caducar</emphasis>: utilizar ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -8056,7 +8150,7 @@ msgstr ""
 "método distinto a las contraseñas - por ejemplo claves SSH."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -8071,7 +8165,7 @@ msgstr ""
 "inmediatamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
@@ -8079,7 +8173,7 @@ msgstr ""
 "explícito."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
@@ -8089,7 +8183,7 @@ msgstr ""
 "para una política de contraseña apropiada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -8098,13 +8192,13 @@ msgstr ""
 "autorizedService para determinar el acceso"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: usa el atributo host para determinar el acceso"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
@@ -8113,7 +8207,7 @@ msgstr ""
 "host remoto puede acceder"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
@@ -8123,12 +8217,12 @@ msgstr ""
 "opción de control de acceso"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Predeterminado: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -8137,12 +8231,12 @@ msgstr ""
 "una vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -8156,22 +8250,22 @@ msgstr ""
 "LDAP no pueden verificarse correctamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Ejemplo: cn=ppolicy,ou=policies,dc=example,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr "Predeterminado: cn=ppolicy,ou=policies,$ldap_search_base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -8180,13 +8274,13 @@ msgstr ""
 "lleva a cabo una búsqueda. Están permitidas las siguientes opciones:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 "<emphasis>never</emphasis>: Nunca serán eliminadas las referencias al alias."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -8196,7 +8290,7 @@ msgstr ""
 "búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -8205,7 +8299,7 @@ msgstr ""
 "cuando se localice el objeto base de la búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -8214,7 +8308,7 @@ msgstr ""
 "para la búsqueda como en la localización del objeto base de la búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -8223,12 +8317,12 @@ msgstr ""
 "librerías cliente LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -8237,7 +8331,7 @@ msgstr ""
 "servidores que usan el esquema RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -8255,7 +8349,7 @@ msgstr ""
 "llamadas getpw*() o initgroups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -8266,12 +8360,12 @@ msgstr ""
 "initgroups() aumentará los usuarios locales con los grupos LDAP adicionales."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr "wildcard_limit (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
@@ -8280,39 +8374,39 @@ msgstr ""
 "descargadas durante una búsqueda de comodín."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 "En este momento solo el respondedor InfoPipe soporta búsqueda de comodín"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr "Predeterminado: 1000 (frecuentemente el tamaño de una página)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "debug_level (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "debug_level (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 #, fuzzy
 #| msgid "Default: 0 (disabled)"
 msgid "Default: 0 (libldap debugging disabled)"
@@ -8339,12 +8433,12 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "OPCIONES SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -8355,12 +8449,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -8370,7 +8464,7 @@ msgstr ""
 "servidor)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -8379,24 +8473,24 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "Por defecto: 21600 (6 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -8408,7 +8502,7 @@ msgstr ""
 "actualmente SSSD)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -8417,7 +8511,7 @@ msgstr ""
 "atributo modifyTimestamp."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -8433,21 +8527,21 @@ msgstr ""
 "<emphasis>ldap_connection_expire_timeout</emphasis>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 #, fuzzy
 #| msgid "ldap_idmap_range_size (integer)"
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_idmap_range_size (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -8455,7 +8549,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -8463,17 +8557,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -8482,12 +8576,12 @@ msgstr ""
 "máquina (usando las direcciones de host/red y nombres de host IPv4 o IPv6)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -8496,7 +8590,7 @@ msgstr ""
 "totalmente cualificados que sería usada para filtrar las reglas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -8505,8 +8599,8 @@ msgstr ""
 "nombre de dominio totalmente cualificado automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -8515,17 +8609,17 @@ msgstr ""
 "emphasis> esta opción no tiene efecto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr "Por defecto: no especificado"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -8534,7 +8628,7 @@ msgstr ""
 "usada para filtrar las reglas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -8543,12 +8637,12 @@ msgstr ""
 "automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "sudo_include_netgroups (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -8557,12 +8651,12 @@ msgstr ""
 "atributo sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -8571,7 +8665,7 @@ msgstr ""
 "atributo sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
@@ -8580,7 +8674,7 @@ msgstr ""
 "del servidor LDAP!"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -8593,12 +8687,12 @@ msgstr ""
 "manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "OPCIONES AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
@@ -8607,47 +8701,47 @@ msgstr ""
 "esquema LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "El nombre del mapa maestro de montaje automático en LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr "Pfredeterminado: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "OPCIONES AVANZADAS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -8660,22 +8754,22 @@ msgstr ""
 "función, si los nombres de grupo no están siendo visualizados correctamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -8688,14 +8782,14 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "EJEMPLO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -8706,7 +8800,7 @@ msgstr ""
 "replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8726,20 +8820,20 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr "EJEMPLO DE FILTRO DE ACCESO LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
@@ -8748,7 +8842,7 @@ msgstr ""
 "ldap_access_order=lockout."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8774,13 +8868,13 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTAS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9981,7 +10075,7 @@ msgstr ""
 "grupos locales no serán evaluados."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -11236,7 +11330,7 @@ msgstr ""
 "este host. El nombre de host debe ser totalmente cualificado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (booleano)"
 
@@ -11256,7 +11350,7 @@ msgstr ""
 "otra manera utilizando la opción <quote>dyndns_iface</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -11277,12 +11371,12 @@ msgstr ""
 "usar <emphasis>dyndns_update</emphasis> en su fichero de configuración."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -11309,12 +11403,12 @@ msgid "Default: 1200 (seconds)"
 msgstr "Por defecto: 1200 (segundos)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -11347,17 +11441,17 @@ msgstr ""
 "conexión IPA LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr "Ejemplo: dyndns_iface = em1, vnet1, vnet2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr "dyndns_auth (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -11368,19 +11462,19 @@ msgstr ""
 "se pueden enviar fijando esta opción a 'none'."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr "Predeterminado: GSS-TSIG"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 #, fuzzy
 #| msgid "dyndns_auth (string)"
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_auth (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 #, fuzzy
 #| msgid ""
 #| "Whether the nsupdate utility should use GSS-TSIG authentication for "
@@ -11396,7 +11490,7 @@ msgstr ""
 "se pueden enviar fijando esta opción a 'none'."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -11406,7 +11500,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 "Habilita sitios DNS - descubrimiento de servicio basado en la ubicación."
@@ -11433,7 +11527,7 @@ msgstr ""
 "tradicional SRV son usados como servidores de respaldo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (entero)"
 
@@ -11450,12 +11544,12 @@ msgstr ""
 "dyndns_update está a true."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -11480,12 +11574,12 @@ msgid "Default: False (disabled)"
 msgstr "Predeterminado: False (deshabilitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -11494,17 +11588,17 @@ msgstr ""
 "comunica con el servidor DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Predeterminado: False (permitir a nsupdate elegir el protocolol)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr "dyndns_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
@@ -11514,7 +11608,7 @@ msgstr ""
 "establecer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
@@ -11523,7 +11617,7 @@ msgstr ""
 "servidor DNS es distinto del servidor de identidad."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
@@ -11532,17 +11626,17 @@ msgstr ""
 "cuando el intento anterior de usar la configuración autodetectada falló."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr "Predeterminado: None (permitir a nsupdate elegir el servidor)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr "dyndns_update_per_family (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -11701,12 +11795,12 @@ msgstr ""
 "convertido hacia la base DN para usarlo para llevar a cabo operaciones LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
@@ -11715,7 +11809,7 @@ msgstr ""
 "configuración de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
@@ -11724,7 +11818,7 @@ msgstr ""
 "parámetro a 'none'."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -11748,7 +11842,7 @@ msgstr ""
 "hay muchas solicitudes de perfiles de escritorio en un período corto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "Predeterminado: 5 (segundos)"
 
@@ -12431,13 +12525,33 @@ msgstr ""
 "siempre como sensibles a mayúsculas y minúsculas en el proveedor AD por "
 "compatibilidad con la implementación LDAP de Active Directory."
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -12446,7 +12560,7 @@ msgstr ""
 "se suministra, se usa la configuración del nombre de dominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -12455,7 +12569,7 @@ msgstr ""
 "minúscula de la versión larga del dominio Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -12464,12 +12578,12 @@ msgstr ""
 "pano) es autodetectado por SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr "ad_enabled_domains (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -12480,7 +12594,7 @@ msgstr ""
 "deja sin establecer, estarán disponibles todos los dominios del bosque AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -12490,7 +12604,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -12501,7 +12615,7 @@ msgstr ""
 "Directory. Por ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
@@ -12510,12 +12624,12 @@ msgstr ""
 "será autodetectado por SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -12527,7 +12641,7 @@ msgstr ""
 "<quote>CONMUTACIÓN POR ERROR</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
@@ -12537,7 +12651,7 @@ msgstr ""
 "<quote>SERVICIO DE DESCUBRIMIENTO</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
@@ -12547,12 +12661,12 @@ msgstr ""
 "opción ad_server."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -12561,7 +12675,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -12569,12 +12683,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -12591,12 +12705,12 @@ msgstr ""
 "se usa durante el descubrimiento de sitio también."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -12610,7 +12724,7 @@ msgstr ""
 "opción tenga efecto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -12623,7 +12737,7 @@ msgstr ""
 "<quote>FOREST</quote> o ninguna."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -12636,7 +12750,7 @@ msgstr ""
 "dominios del bosque especificado por <quote>NAME</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
@@ -12645,7 +12759,7 @@ msgstr ""
 "modo similar a como funcionan las bases de búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -12666,7 +12780,7 @@ msgstr ""
 "extensiones LDAP</ulink>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -12679,7 +12793,7 @@ msgstr ""
 "con la misma especificación se usa la primera."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -12709,12 +12823,12 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr "ad_site (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
@@ -12723,12 +12837,12 @@ msgstr ""
 "suministra esta opción se autodescubrirá el sitio AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -12741,7 +12855,7 @@ msgstr ""
 "hace que SSSD solo conecte al puerto LDAP del servidor AD actual."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -12755,12 +12869,12 @@ msgstr ""
 "membresías de grupo de dominio cruzado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -12775,7 +12889,7 @@ msgstr ""
 "objetivo de que esta opción tenga efecto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -12788,7 +12902,7 @@ msgstr ""
 "opciones <quote>ad_gpo_map</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -12797,7 +12911,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -12812,7 +12926,7 @@ msgstr ""
 "los que pertenece debe tener los siguientes permisos en el GPO:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
@@ -12821,7 +12935,7 @@ msgstr ""
 "propiedad de la GPO (RIGHT_DS_READ_PROPERTY)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
@@ -12830,7 +12944,7 @@ msgstr ""
 "tener permiso para aplicar la GPO (RIGHT_DS_CONTROL_ACCESS)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -12846,7 +12960,7 @@ msgstr ""
 "GPO se aplicarán siempre también al usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -12873,12 +12987,12 @@ msgstr ""
 "citerefentry>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr "Hay tres valores soportados para esta opción:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
@@ -12886,14 +13000,14 @@ msgstr ""
 "son evaluadas ni aplicadas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 "enforcing (hacer cumplir): Las reglas de control de acceso basadas en GPO "
 "son evaluadas y aplicadas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -12905,22 +13019,22 @@ msgstr ""
 "si el valor de la opción estuviera establecido en enforcing."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr "Predeterminado: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr "Predeterminado: enforcing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr "ad_gpo_implicit_deny (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -12938,7 +13052,7 @@ msgstr ""
 "administradores integrados si no se aplican reglas de GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -12946,84 +13060,84 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 #, fuzzy
 #| msgid "ad_gpo_implicit_deny (boolean)"
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr "ad_gpo_implicit_deny (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 #, fuzzy
 #| msgid "All users are recorded."
 msgid "all users are allowed"
 msgstr "Se graban todos los usuarios."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "only users in allow-rules are allowed"
 msgstr "Los siguientes valores están permitidos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 #, fuzzy
 #| msgid "ad_gpo_implicit_deny (boolean)"
 msgid "ad_gpo_implicit_deny = True"
 msgstr "ad_gpo_implicit_deny (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 #, fuzzy
 #| msgid "No users are recorded."
 msgid "no users are allowed"
 msgstr "NO se grabaron usuarios."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr "ad_gpo_ignore_unreadable (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -13038,12 +13152,12 @@ msgstr ""
 "los contenedores de política de grupo no son legibles por SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -13051,12 +13165,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -13072,14 +13186,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -13087,7 +13201,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13099,42 +13213,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -13150,7 +13264,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -13158,7 +13272,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -13166,7 +13280,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13178,22 +13292,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -13209,7 +13323,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -13217,7 +13331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -13225,7 +13339,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13237,22 +13351,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -13267,14 +13381,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -13282,7 +13396,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13294,23 +13408,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -13326,14 +13440,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -13341,7 +13455,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -13352,19 +13466,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -13372,7 +13486,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13384,29 +13498,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -13414,12 +13528,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -13432,57 +13546,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -13490,17 +13604,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -13510,17 +13624,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -13529,12 +13643,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -13545,14 +13659,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 #, fuzzy
 #| msgid "ldap_sudo_include_netgroups (boolean)"
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "sudo_include_netgroups (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -13563,7 +13677,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -13578,7 +13692,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -13590,7 +13704,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -13601,19 +13715,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -13623,7 +13737,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -13634,7 +13748,7 @@ msgstr ""
 "Este ejemplo muestra sólo las opciones específicas del proveedor AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -13658,7 +13772,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -13670,7 +13784,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -13681,7 +13795,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -13691,7 +13805,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -19910,32 +20024,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -20639,85 +20764,110 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+#, fuzzy
+#| msgid "Default: True (False for AD provider)"
+msgid "Default: false (IPA and AD provider: true)"
+msgstr "Predeterminado: True (False para proveedor AD)"
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"Por favor vea el parámetro <quote>dns_discovery_domain</quote> en la página "
+"de manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> para más detalles."
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (cadena)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr "Por defecto: no fijado, esto es el TGT no es renovable"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (cadena)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
@@ -20725,12 +20875,12 @@ msgstr ""
 "configurado en el KDC."
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -20738,12 +20888,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/eu.po b/src/man/po/eu.po
index 6bde854fa4c..a60c099d0d9 100644
--- a/src/man/po/eu.po
+++ b/src/man/po/eu.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2014-12-14 11:55-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
@@ -205,10 +205,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr ""
 
@@ -226,12 +226,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr ""
 
@@ -263,8 +263,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -294,7 +294,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -370,8 +370,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr ""
 
@@ -392,7 +392,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -412,12 +412,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -425,39 +425,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -595,11 +595,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -865,8 +865,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1011,7 +1011,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1113,7 +1113,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1482,7 +1482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1508,8 +1508,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1817,7 +1817,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1830,7 +1830,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1844,7 +1844,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1907,8 +1907,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -1973,9 +1973,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -1990,7 +1990,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2086,48 +2086,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2245,7 +2245,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2279,7 +2279,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2289,7 +2289,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2309,7 +2309,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2669,25 +2669,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2695,73 +2706,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2771,66 +2780,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2838,17 +2847,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2856,7 +2865,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2865,56 +2874,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2924,12 +2933,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2938,14 +2947,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2954,38 +2963,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2994,24 +3003,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3020,29 +3029,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3056,14 +3065,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3072,39 +3081,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3113,19 +3122,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3136,139 +3145,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3277,17 +3286,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3299,33 +3308,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3333,19 +3342,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3354,17 +3363,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3373,28 +3382,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3402,7 +3411,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3410,8 +3419,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3420,8 +3429,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3429,19 +3438,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3450,7 +3459,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3458,24 +3467,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3487,27 +3496,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3515,7 +3535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3523,30 +3543,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3554,19 +3574,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3575,7 +3595,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3583,29 +3603,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3613,7 +3633,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3621,35 +3641,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3657,32 +3677,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3693,7 +3713,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3702,12 +3722,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3715,7 +3735,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3723,31 +3743,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3755,7 +3775,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3764,17 +3784,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3782,43 +3802,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3826,7 +3846,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3834,7 +3854,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3842,24 +3862,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3867,31 +3887,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3899,7 +3919,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3908,12 +3928,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3923,7 +3943,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3932,29 +3952,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3962,104 +3982,102 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4068,64 +4086,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4133,38 +4151,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4172,49 +4183,104 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+msgid "ldap_offline_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3707
+msgid "ldap_enumeration_refresh_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+msgid "ldap_enumeration_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+msgid "ldap_connection_expire_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+msgid "ldap_connection_expire_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4222,27 +4288,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4252,34 +4318,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4288,19 +4354,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4308,24 +4374,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4334,24 +4400,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4361,14 +4427,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4376,21 +4442,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4398,7 +4464,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4407,7 +4473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4416,7 +4482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4424,29 +4490,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4454,12 +4520,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4467,12 +4533,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4481,12 +4547,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4494,19 +4560,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4523,7 +4589,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4531,17 +4597,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4550,7 +4616,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4560,7 +4626,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4580,12 +4646,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4596,69 +4662,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4671,7 +4737,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4679,7 +4745,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4688,55 +4754,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4745,17 +4811,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4763,26 +4829,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4791,17 +4857,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4811,7 +4877,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4820,59 +4886,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4881,7 +4947,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4890,7 +4956,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4899,7 +4965,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4907,12 +4973,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4942,7 +5008,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4951,7 +5017,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4959,7 +5025,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4970,7 +5036,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -4984,7 +5050,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5047,7 +5113,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5148,7 +5214,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5364,12 +5430,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5377,7 +5443,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5386,12 +5452,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5399,7 +5465,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5409,7 +5475,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5419,34 +5485,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5454,32 +5520,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5487,7 +5553,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5495,12 +5561,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5508,12 +5574,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5524,12 +5590,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5538,12 +5604,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5552,7 +5618,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5563,36 +5629,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5600,29 +5666,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5630,14 +5696,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5645,17 +5711,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5665,12 +5731,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5678,17 +5744,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5696,12 +5762,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5709,7 +5775,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5720,7 +5786,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5729,7 +5795,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5737,12 +5803,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5750,7 +5816,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5758,26 +5824,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5785,7 +5851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5793,7 +5859,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5801,41 +5867,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5844,32 +5910,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5877,24 +5943,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5902,17 +5968,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5923,24 +5989,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5951,12 +6017,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5969,7 +6035,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -5981,17 +6047,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5999,49 +6065,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6049,28 +6115,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6082,7 +6148,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6090,7 +6156,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6098,39 +6164,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6140,7 +6206,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6148,26 +6214,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6176,7 +6242,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6184,31 +6250,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6221,51 +6287,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6274,12 +6340,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6295,12 +6361,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6309,14 +6375,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6325,24 +6391,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6350,19 +6416,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6371,7 +6437,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6379,7 +6445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6388,7 +6454,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6396,22 +6462,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6421,14 +6487,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6441,12 +6507,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6456,7 +6522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6466,63 +6532,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6531,74 +6597,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6609,7 +6675,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6617,48 +6683,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6675,12 +6741,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6688,43 +6754,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6732,14 +6798,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6749,19 +6815,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6769,7 +6835,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6777,106 +6843,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6885,59 +6951,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6946,22 +7012,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6970,14 +7036,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6985,7 +7051,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6998,27 +7064,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7034,13 +7100,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8046,7 +8112,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9073,7 +9139,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9088,7 +9154,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9103,12 +9169,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9129,12 +9195,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9158,17 +9224,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9176,17 +9242,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9194,7 +9260,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9204,7 +9270,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9221,7 +9287,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9234,12 +9300,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9258,60 +9324,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9442,26 +9508,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9480,7 +9546,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10031,39 +10097,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10071,7 +10157,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10079,7 +10165,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10087,19 +10173,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10107,26 +10193,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10135,7 +10221,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10143,12 +10229,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10159,12 +10245,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10173,7 +10259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10182,7 +10268,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10191,14 +10277,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10211,7 +10297,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10220,7 +10306,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10238,24 +10324,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10264,7 +10350,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10273,12 +10359,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10288,7 +10374,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10297,7 +10383,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10306,7 +10392,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10316,21 +10402,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10340,7 +10426,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10355,23 +10441,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10379,22 +10465,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10405,7 +10491,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10413,74 +10499,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10490,12 +10576,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10503,12 +10589,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10524,14 +10610,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10539,7 +10625,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10551,42 +10637,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10602,7 +10688,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10610,7 +10696,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10618,7 +10704,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10630,22 +10716,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10661,7 +10747,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10669,7 +10755,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10677,7 +10763,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10689,22 +10775,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10719,14 +10805,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10734,7 +10820,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10746,23 +10832,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10778,14 +10864,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10793,7 +10879,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10804,19 +10890,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10824,7 +10910,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10836,29 +10922,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10866,12 +10952,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10884,57 +10970,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10942,17 +11028,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -10962,17 +11048,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -10981,12 +11067,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -10997,12 +11083,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11013,7 +11099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11028,7 +11114,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11040,7 +11126,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11051,19 +11137,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11073,7 +11159,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11081,7 +11167,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11096,7 +11182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11105,7 +11191,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11113,7 +11199,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11123,7 +11209,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16783,32 +16869,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17479,96 +17576,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17576,12 +17688,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/fi.po b/src/man/po/fi.po
index d4a043ca54d..2527043ff38 100644
--- a/src/man/po/fi.po
+++ b/src/man/po/fi.po
@@ -3,7 +3,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2022-03-20 19:16+0000\n"
 "Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
 "Language-Team: Finnish <https://translate.fedoraproject.org/projects/sssd/"
@@ -201,10 +201,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Oletus:tosi"
 
@@ -222,12 +222,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Oletus:epätosi"
 
@@ -259,8 +259,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -290,7 +290,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -368,8 +368,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr ""
 
@@ -390,7 +390,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -410,12 +410,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -423,39 +423,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "käyttäjänimi"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -597,11 +597,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "Oletus: ei asetettu"
 
@@ -867,8 +867,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "Oletus: ei asetettu"
 
@@ -1013,7 +1013,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1115,7 +1115,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1484,7 +1484,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1510,8 +1510,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1821,7 +1821,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1834,7 +1834,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1848,7 +1848,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1911,8 +1911,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Oletus: ei mitään"
 
@@ -1977,9 +1977,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "Oletus:epätosi"
 
@@ -1994,7 +1994,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr "Oletus:"
 
@@ -2092,48 +2092,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr "kirjautuminen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2251,7 +2251,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2287,7 +2287,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Esimerkki: <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -2297,7 +2297,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2317,7 +2317,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Oletus:tosi"
@@ -2677,27 +2677,38 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 #, fuzzy
 #| msgid "present"
 msgid "pac_present"
 msgstr "nykyinen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2705,73 +2716,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2781,66 +2790,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2848,17 +2857,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2866,7 +2875,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2875,56 +2884,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr "käytössä"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2934,12 +2943,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2948,14 +2957,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2964,38 +2973,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3004,24 +3013,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3030,29 +3039,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3066,14 +3075,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3082,39 +3091,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "kaikki"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "Ei mitään"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3123,19 +3132,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (integeri)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3146,139 +3155,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3287,17 +3296,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3309,33 +3318,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3343,19 +3352,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3364,17 +3373,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3383,28 +3392,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3412,7 +3421,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3420,8 +3429,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3430,8 +3439,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3439,19 +3448,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3460,7 +3469,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3468,24 +3477,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3497,27 +3506,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3525,7 +3545,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3533,30 +3553,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3564,19 +3584,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3585,7 +3605,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3593,29 +3613,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3623,7 +3643,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3631,35 +3651,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3667,32 +3687,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3703,7 +3723,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3712,12 +3732,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3725,7 +3745,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3733,31 +3753,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3765,7 +3785,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3774,17 +3794,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3792,43 +3812,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3836,7 +3856,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3844,7 +3864,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3852,24 +3872,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3877,31 +3897,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3909,7 +3929,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3918,12 +3938,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3933,7 +3953,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3942,29 +3962,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "käyttäjänimi"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3972,104 +3992,102 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_server_timeout (integeri)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_op_timeout (integeri)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4078,64 +4096,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr "epätosi"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4143,38 +4161,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4182,51 +4193,124 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_search_timeout"
+msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "ldap_network_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_opt_timeout"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "ldap_offline_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "ldap_enumeration_search_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "ldap_connection_expire_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "ldap_connection_expire_offset"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "client_idle_timeout"
 msgid "ldap_connection_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
-msgstr ""
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
+msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4236,27 +4320,27 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4266,34 +4350,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4302,19 +4386,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4322,24 +4406,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr "tosi"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4348,24 +4432,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr "epätosi"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4375,14 +4459,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4390,21 +4474,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4412,7 +4496,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4421,7 +4505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4430,7 +4514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4438,29 +4522,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4468,12 +4552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4481,12 +4565,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4495,12 +4579,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4508,19 +4592,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4537,7 +4621,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4545,17 +4629,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4564,7 +4648,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4574,7 +4658,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4594,12 +4678,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4610,69 +4694,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4685,7 +4769,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4693,7 +4777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4702,55 +4786,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4759,17 +4843,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4777,26 +4861,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4805,17 +4889,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4825,7 +4909,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4834,59 +4918,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4895,7 +4979,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4904,7 +4988,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4913,7 +4997,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4921,12 +5005,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4956,7 +5040,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4965,7 +5049,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4973,7 +5057,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4984,7 +5068,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -4998,7 +5082,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5061,7 +5145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5162,7 +5246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Esimerkki:"
@@ -5378,12 +5462,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5391,7 +5475,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5400,12 +5484,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5413,7 +5497,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5423,7 +5507,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5433,34 +5517,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5468,32 +5552,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5501,7 +5585,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5509,12 +5593,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5522,12 +5606,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5538,12 +5622,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5552,12 +5636,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5566,7 +5650,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5577,38 +5661,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ad_gpo_cache_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (integeri)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5616,29 +5700,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5646,14 +5730,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5661,17 +5745,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5681,12 +5765,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5694,17 +5778,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5712,12 +5796,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5725,7 +5809,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5736,7 +5820,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5745,7 +5829,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5753,12 +5837,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5766,7 +5850,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5774,26 +5858,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5801,7 +5885,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5809,7 +5893,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5817,41 +5901,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5860,32 +5944,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5893,24 +5977,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5918,17 +6002,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5939,24 +6023,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5967,12 +6051,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5985,7 +6069,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -5997,17 +6081,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6015,49 +6099,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Oletus: epätosi;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6065,28 +6149,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6098,7 +6182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6106,7 +6190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6114,39 +6198,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6156,7 +6240,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6164,26 +6248,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6192,7 +6276,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6200,31 +6284,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6237,51 +6321,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6290,12 +6374,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6311,12 +6395,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Esimerkki:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6325,14 +6409,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6341,24 +6425,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6366,19 +6450,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6387,7 +6471,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6395,7 +6479,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6404,7 +6488,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6412,22 +6496,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6437,14 +6521,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6457,12 +6541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6472,7 +6556,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6482,63 +6566,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6547,74 +6631,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6625,7 +6709,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6633,48 +6717,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr "ldap_library_debug_level (integeri)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6691,12 +6775,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6704,43 +6788,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6748,14 +6832,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6765,19 +6849,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6785,7 +6869,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6793,106 +6877,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6901,59 +6985,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6962,22 +7046,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6986,14 +7070,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7001,7 +7085,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7014,27 +7098,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7050,13 +7134,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8062,7 +8146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9089,7 +9173,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9104,7 +9188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9119,12 +9203,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9145,12 +9229,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9174,17 +9258,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9192,17 +9276,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9210,7 +9294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9220,7 +9304,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9237,7 +9321,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9250,12 +9334,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9274,60 +9358,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9458,26 +9542,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9496,7 +9580,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10047,39 +10131,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10087,7 +10191,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10095,7 +10199,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10103,19 +10207,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10123,26 +10227,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10151,7 +10255,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10159,12 +10263,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10175,12 +10279,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10189,7 +10293,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10198,7 +10302,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10207,14 +10311,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10227,7 +10331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10236,7 +10340,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10254,24 +10358,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10280,7 +10384,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10289,12 +10393,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10304,7 +10408,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10313,7 +10417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10322,7 +10426,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10332,21 +10436,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10356,7 +10460,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10371,23 +10475,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10395,22 +10499,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10421,7 +10525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10429,74 +10533,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr "puuttuu"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr "nykyinen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10506,12 +10610,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (integeri)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10519,12 +10623,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10540,14 +10644,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10555,7 +10659,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10567,42 +10671,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr "yhtenäisyys"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10618,7 +10722,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10626,7 +10730,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10634,7 +10738,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10646,22 +10750,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr "cockpit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10677,7 +10781,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10685,7 +10789,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10693,7 +10797,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10705,22 +10809,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10735,14 +10839,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10750,7 +10854,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10762,23 +10866,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10794,14 +10898,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10809,7 +10913,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10820,19 +10924,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10840,7 +10944,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10852,29 +10956,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10882,12 +10986,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10900,57 +11004,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr "verkko"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr "palvelu"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10958,17 +11062,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -10978,17 +11082,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -10997,12 +11101,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11013,12 +11117,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11029,7 +11133,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11044,7 +11148,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11056,7 +11160,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11067,19 +11171,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11089,7 +11193,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11097,7 +11201,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11112,7 +11216,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11121,7 +11225,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11129,7 +11233,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11139,7 +11243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16799,32 +16903,45 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+#, fuzzy
+#| msgid "Authentication failure."
+msgid "Authentication Authority"
+msgstr "Tunnistautumisvirhe."
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17495,96 +17612,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17592,12 +17724,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/fr.po b/src/man/po/fr.po
index 884c6cd7efb..543cd4e7724 100644
--- a/src/man/po/fr.po
+++ b/src/man/po/fr.po
@@ -17,7 +17,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2020-07-22 07:49-0400\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/"
@@ -236,10 +236,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Par défaut : true"
 
@@ -260,12 +260,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Par défaut : false"
 
@@ -299,8 +299,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -330,7 +330,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Par défaut : 10"
 
@@ -416,8 +416,8 @@ msgstr ""
 "d'abandonner"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Par défaut : 3"
 
@@ -438,7 +438,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (chaîne)"
 
@@ -460,12 +460,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -477,33 +477,33 @@ msgstr ""
 "domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "nom d'utilisateur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 "nom de domaine tel qu'indiqué dans le fichier de configuration de SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -513,7 +513,7 @@ msgstr ""
 "d'approbation IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -673,11 +673,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "Par défaut : non défini"
 
@@ -957,8 +957,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "Par défaut : non défini"
 
@@ -1124,7 +1124,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Par défaut : 60"
 
@@ -1236,7 +1236,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Par défaut : 300"
 
@@ -1672,7 +1672,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr "Par défaut : 8"
 
@@ -1700,8 +1700,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Par défaut : 6"
@@ -2046,7 +2046,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr "Afficher une alerte N jours avant l'expiration du mot de passe."
 
@@ -2062,7 +2062,7 @@ msgstr ""
 "ne peut afficher de message d'alerte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -2081,7 +2081,7 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> pour un domaine particulier."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Par défaut : 0"
 
@@ -2149,8 +2149,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Par défaut : aucun"
 
@@ -2215,9 +2215,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "Par défaut : False"
 
@@ -2232,7 +2232,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2335,48 +2335,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2494,7 +2494,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 #, fuzzy
 #| msgid "ad_gpo_map_service (string)"
 msgid "pam_gssapi_services"
@@ -2538,7 +2538,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -2548,7 +2548,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2568,7 +2568,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Par défaut : True"
@@ -2963,25 +2963,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "ldap_schema (chaîne)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2989,73 +3000,77 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Les expansions suivantes sont prises en charge : <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -3065,66 +3080,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3132,17 +3147,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3150,7 +3165,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3159,64 +3174,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "simple_deny_users (string)"
 msgid "exclude_users (string)"
 msgstr "simple_deny_users (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No users excluded."
 msgstr "Par défaut : vide, ldap_uri est donc utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "simple_deny_groups (string)"
 msgid "exclude_groups (string)"
 msgstr "simple_deny_groups (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No groups excluded."
 msgstr "Par défaut : vide, ldap_uri est donc utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "SECTIONS DOMAINES"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3226,12 +3241,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3240,14 +3255,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3256,31 +3271,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3289,7 +3304,7 @@ msgstr ""
 "dehors de ces limites, elle est ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3302,7 +3317,7 @@ msgstr ""
 "qui sont dans la plage seront rapportés comme prévu."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -3311,17 +3326,17 @@ msgstr ""
 "pas seulement leur recherche par nom ou identifiant."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Default: 1 for min_id, 0 (no limit) for max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3330,29 +3345,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = utilisateurs et groupes sont énumérés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = aucune énumération pour ce domaine"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Par défaut : FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3366,7 +3381,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3376,7 +3391,7 @@ msgstr ""
 "l'énumération ne se termine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3390,7 +3405,7 @@ msgstr ""
 "fournisseur d'identité spécifique utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -3399,32 +3414,32 @@ msgstr ""
 "déconseillée, surtout dans les environnements de grande taille."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Tous les domaines approuvés découverts seront énumérés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Aucun domaine approuvé découvert ne sera énuméré"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3438,12 +3453,12 @@ msgstr ""
 "activer l'énumération pour ces seuls domaines."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3452,7 +3467,7 @@ msgstr ""
 "comme valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3470,17 +3485,17 @@ msgstr ""
 "rafraîchissement des entrées qui sont déjà en cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Par défaut : 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -3489,19 +3504,19 @@ msgstr ""
 "d'utilisateurs comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "Par défaut : entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -3510,12 +3525,12 @@ msgstr ""
 "groupes comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -3524,12 +3539,12 @@ msgstr ""
 "netgroup comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -3538,24 +3553,24 @@ msgstr ""
 "service valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -3564,12 +3579,12 @@ msgstr ""
 "valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -3578,12 +3593,12 @@ msgstr ""
 "cartes d'automontage comme valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -3592,24 +3607,24 @@ msgstr ""
 "rafraichissement. I.e. combien de temps mettre la clé en cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -3619,7 +3634,7 @@ msgstr ""
 "enregistrements expirés ou sur le point de l'être."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3628,18 +3643,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Il est envisageable de configurer cette valeur à 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3651,37 +3666,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "Par défaut : 0 (désactivé)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Détermine si les données d'identification de l'utilisateur sont aussi mis en "
 "cache dans le cache LDB local"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Les informations d'identification utilisateur sont stockées dans une table "
 "de hachage SHA512, et non en texte brut"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3689,19 +3704,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3714,17 +3729,17 @@ msgstr ""
 "paramètre doit être supérieur ou égal à offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Par défaut : 0 (illimité)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3737,17 +3752,17 @@ msgstr ""
 "fournisseur oauth doit être configuré pour le moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Par défaut : 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -3755,12 +3770,12 @@ msgstr ""
 "d'identification pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3768,7 +3783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3780,8 +3795,8 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3794,8 +3809,8 @@ msgstr ""
 "configuration de FreeIPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3807,12 +3822,12 @@ msgstr ""
 "d'Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -3822,7 +3837,7 @@ msgstr ""
 "communiqué à NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3836,7 +3851,7 @@ msgstr ""
 "trouve."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3848,24 +3863,24 @@ msgstr ""
 "qualifié sera demandé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr "Ne pas envoyer les membres des groupes sur les recherches de groupes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3877,20 +3892,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -3899,7 +3925,7 @@ msgstr ""
 "pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3911,7 +3937,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3922,7 +3948,7 @@ msgstr ""
 "citerefentry> pour plus d'informations sur la configuration de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -3930,12 +3956,12 @@ msgstr ""
 "PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> désactive l'authentification explicitement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -3944,12 +3970,12 @@ msgstr ""
 "gérer les requêtes d'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3960,7 +3986,7 @@ msgstr ""
 "installés). Les fournisseurs internes spécifiques sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -3969,12 +3995,12 @@ msgstr ""
 "d'accès autorisé pour un domaine local."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> toujours refuser les accès."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3987,7 +4013,7 @@ msgstr ""
 "d'informations sur la configuration du module d'accès simple."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3995,22 +4021,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "Par défaut : <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -4019,7 +4045,7 @@ msgstr ""
 "domaine. Les fournisseurs pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4027,7 +4053,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4039,7 +4065,7 @@ msgstr ""
 "Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -4047,14 +4073,14 @@ msgstr ""
 "autre cible PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 "<quote>none</quote> pour désactiver explicitement le changement de mot de "
 "passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -4063,19 +4089,19 @@ msgstr ""
 "peut gérer les changements de mot de passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "Le fournisseur SUDO, utilisé pour le domaine.  Les fournisseurs SUDO pris en "
 "charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4087,7 +4113,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -4096,7 +4122,7 @@ msgstr ""
 "par défaut pour IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -4105,20 +4131,20 @@ msgstr ""
 "par défaut pour AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> désactive explicitement SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Par défaut : La valeur de <quote>id_provider</quote> est utilisée si elle "
 "est définie."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -4129,7 +4155,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -4138,12 +4164,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -4154,7 +4180,7 @@ msgstr ""
 "fournisseur d'accès.  Les fournisseurs selinux pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4166,14 +4192,14 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> n'autorise pas la récupération explicite des paramètres "
 "selinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -4182,12 +4208,12 @@ msgstr ""
 "gérer le chargement selinux"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -4197,7 +4223,7 @@ msgstr ""
 "fournisseurs de sous-domaine pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4209,7 +4235,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4218,18 +4244,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 "<quote>none</quote> désactive la récupération explicite des sous-domaines."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4237,37 +4263,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -4275,7 +4301,7 @@ msgstr ""
 "en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4287,7 +4313,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4299,7 +4325,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4307,17 +4333,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> désactive explicitement autofs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -4326,7 +4352,7 @@ msgstr ""
 "systèmes.  Les fournisseurs de hostid pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4338,31 +4364,31 @@ msgstr ""
 "configuration de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> désactive explicitement hostid."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4370,7 +4396,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4379,12 +4405,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4400,7 +4426,7 @@ msgstr ""
 "domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 #, fuzzy
 #| msgid ""
 #| "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
@@ -4419,22 +4445,22 @@ msgstr ""
 "styles différents pour les noms d'utilisateurs :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr "domain\\username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -4444,7 +4470,7 @@ msgstr ""
 "utilisateurs de domaines Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4455,17 +4481,17 @@ msgstr ""
 "importe le domaine après »"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Par défaut : <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -4474,97 +4500,95 @@ msgstr ""
 "utiliser pour effectuer les requêtes DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "Valeurs prises en charge :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first : essayer de chercher une adresse IPv4, et en cas d'échec, "
 "essayer IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first : essayer de chercher une adresse IPv6, et en cas d'échec, tenter "
 "IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "Par défaut : ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "Par défaut : 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4573,12 +4597,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -4587,54 +4611,54 @@ msgstr ""
 "du domaine faisant partie de la requête DNS de découverte de services."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Par défaut : utiliser la partie du domaine qui est dans le nom de système de "
 "la machine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr "Redéfinit le GID primaire avec la valeur spécifiée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr "Insensible à la casse."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4646,14 +4670,14 @@ msgstr ""
 "sortie."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder "
@@ -4666,24 +4690,17 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr "Par défaut : true (false pour le fournisseur AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4691,53 +4708,130 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_expire_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_expire_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_expire_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
-msgstr ""
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
+msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 #, fuzzy
 #| msgid "Case insensitive."
 msgid "case_sensitive"
 msgstr "Insensible à la casse."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4747,27 +4841,27 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "nom plat (NetBIOS) d'un sous-domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4783,7 +4877,7 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -4791,17 +4885,17 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Par défaut : <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -4809,12 +4903,12 @@ msgstr ""
 "ce domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4823,19 +4917,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4843,24 +4937,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4869,24 +4963,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4896,14 +4990,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4911,21 +5005,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4933,7 +5027,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4942,7 +5036,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4951,7 +5045,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4963,17 +5057,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "Le proxy cible duquel PAM devient mandataire."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -4982,12 +5076,12 @@ msgstr ""
 "ou en créer une nouvelle et ajouter le nom de service ici."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4998,12 +5092,12 @@ msgstr ""
 "_nss_$(libName)_$(function), par exemple _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -5011,12 +5105,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -5030,12 +5124,12 @@ msgstr ""
 "afin d'améliorer les performances."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -5043,7 +5137,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -5052,12 +5146,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -5074,7 +5168,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -5082,17 +5176,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -5101,7 +5195,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -5111,7 +5205,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5131,12 +5225,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -5147,69 +5241,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -5222,7 +5316,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -5230,7 +5324,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -5239,55 +5333,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5296,17 +5390,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5314,26 +5408,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -5342,17 +5436,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -5362,7 +5456,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -5371,59 +5465,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -5432,7 +5526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -5441,7 +5535,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -5450,7 +5544,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -5458,12 +5552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5517,7 +5611,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -5526,7 +5620,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -5534,7 +5628,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -5545,7 +5639,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5559,7 +5653,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5636,7 +5730,7 @@ msgstr ""
 "en tant que fournisseur d'accès."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5758,7 +5852,7 @@ msgstr ""
 "http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Exemples :"
@@ -6007,12 +6101,12 @@ msgstr ""
 "d'actualiser son cache d\"énumération d'enregistrements."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -6023,7 +6117,7 @@ msgstr ""
 "jamais connectés) et de suppression pour économiser de l'espace."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -6032,12 +6126,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -6049,7 +6143,7 @@ msgstr ""
 "schéma RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -6059,7 +6153,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -6069,12 +6163,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "Par défaut : 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -6084,24 +6178,24 @@ msgstr ""
 "2008 et versions ultérieures."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "Facultatif. Utiliser la chaîne donnée comme base de recherche pour héberger "
 "des objets."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -6111,32 +6205,32 @@ msgstr ""
 "configuration des bases de recherche multiples."
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Par défaut : la valeur de <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -6147,7 +6241,7 @@ msgstr ""
 "activation du mode hors ligne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -6158,12 +6252,12 @@ msgstr ""
 "différents types de recherches."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -6174,12 +6268,12 @@ msgstr ""
 "résultats mis en cache (et activation du mode hors ligne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -6196,12 +6290,12 @@ msgstr ""
 "citerefentry> rendent la main en cas d'inactivité."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -6210,12 +6304,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -6228,7 +6322,7 @@ msgstr ""
 "courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -6239,38 +6333,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "Par défaut : 900 (15 minutes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 #, fuzzy
 #| msgid ""
 #| "Specifies a timeout (in seconds) that a connection to an LDAP server will "
@@ -6288,17 +6382,17 @@ msgstr ""
 "courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -6307,12 +6401,12 @@ msgstr ""
 "Certains serveurs LDAP imposent une limite maximale par requête."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -6324,7 +6418,7 @@ msgstr ""
 "correctement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -6334,7 +6428,7 @@ msgstr ""
 "sera impossible de l'utiliser."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -6345,17 +6439,17 @@ msgstr ""
 "cela peut entraîner l'échec de certaines demandes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr "Désactiver la récupération de plage Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -6371,12 +6465,12 @@ msgstr ""
 "apparaissant ainsi sans aucun membre."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -6387,19 +6481,19 @@ msgstr ""
 "de cette option sont définies par OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Par défaut : Utiliser la valeur par défaut du système (généralement spécifié "
 "par ldap.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -6407,12 +6501,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -6423,7 +6517,7 @@ msgstr ""
 "membres manquants est inférieur, ils sont recherchés individuellement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -6434,7 +6528,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -6447,7 +6541,7 @@ msgstr ""
 "acceptés sont 389/RHDS, OpenLDAP et Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -6458,12 +6552,12 @@ msgstr ""
 "déréférencement est désactivée indépendamment de ce paramètre."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -6471,7 +6565,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -6479,12 +6573,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -6493,7 +6587,7 @@ msgstr ""
 "session TLS, si elle existe. Une des valeurs suivantes est utilisable :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -6502,7 +6596,7 @@ msgstr ""
 "quelconque certificat du serveur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6513,7 +6607,7 @@ msgstr ""
 "certificat est fourni, il est ignoré et la session continue normalement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6524,7 +6618,7 @@ msgstr ""
 "certificat est fourni, la session se termine immédiatement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -6535,22 +6629,22 @@ msgstr ""
 "immédiatement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> : identique à <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "Par défaut : hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -6559,7 +6653,7 @@ msgstr ""
 "certification que <command>sssd</command> reconnaîtra."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -6568,12 +6662,12 @@ msgstr ""
 "<filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -6587,32 +6681,32 @@ msgstr ""
 "corrects."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "Définit le fichier qui contient le certificat pour la clef du client."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr "Définit le fichier qui contient la clef du client."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -6620,12 +6714,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -6635,12 +6729,12 @@ msgstr ""
 "canal."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -6652,19 +6746,19 @@ msgstr ""
 "ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "Cette fonctionnalité ne prend actuellement en charge que la correspondance "
 "par objectSID avec Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -6684,24 +6778,24 @@ msgstr ""
 "identifiants."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr "Par défaut : non indiqué (les deux options sont à 0)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -6712,12 +6806,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -6730,7 +6824,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6742,17 +6836,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr "Par défaut : host/hostname@REALM"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6763,17 +6857,17 @@ msgstr ""
 "domaine, cette option est ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "Par défaut : la valeur de krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -6782,34 +6876,34 @@ msgstr ""
 "le nom de l'hôte au cours d'une liaison SASL."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Défaut : false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Par défaut : le fichier keytab du système, normalement <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6817,28 +6911,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Par défaut : 86400 (24 heures)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6858,7 +6952,7 @@ msgstr ""
 "<quote>DÉCOUVERTE DE  SERVICES</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6869,7 +6963,7 @@ msgstr ""
 "comme protocole, et passe sur _tcp si aucune entrée n'est trouvée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6881,29 +6975,29 @@ msgstr ""
 "l'utilisation de <quote>krb5_server</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Par défaut : valeur par défaut du système, voir <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -6913,12 +7007,12 @@ msgstr ""
 "Kerberos > = 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6933,7 +7027,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6945,12 +7039,12 @@ msgstr ""
 "localisation."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -6959,7 +7053,7 @@ msgstr ""
 "valeurs suivantes sont acceptées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -6968,7 +7062,7 @@ msgstr ""
 "peut pas désactiver la politique sur les mots de passe du côté serveur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 #, fuzzy
 #| msgid ""
 #| "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
@@ -6985,7 +7079,7 @@ msgstr ""
 "manvolnum></citerefentry> pour évaluer si le mot de passe a expiré."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6997,7 +7091,7 @@ msgstr ""
 "est changé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -7006,17 +7100,17 @@ msgstr ""
 "côté serveur, elle prend le pas sur la politique indiquée avec cette option."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr "Définit si le déréférencement automatique doit être activé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -7025,7 +7119,7 @@ msgstr ""
 "compilé avec OpenLDAP version 2.4.13 ou supérieur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 #, fuzzy
 #| msgid ""
 #| "Chasing referrals may incur a performance penalty in environments that "
@@ -7049,29 +7143,29 @@ msgstr ""
 "permettre d'améliorer de façon notable les performances."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Définit le nom de service à utiliser quand la découverte de services est "
 "activée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "Par défaut : ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -7080,19 +7174,19 @@ msgstr ""
 "un changement de mot de passe quand la découverte de services est activée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 "Par défaut : non défini, c'est-à-dire que le service de découverte est "
 "désactivé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -7102,7 +7196,7 @@ msgstr ""
 "de passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -7111,12 +7205,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -7132,12 +7226,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Exemple :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -7149,7 +7243,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -7158,7 +7252,7 @@ msgstr ""
 "dont l'attribut employeeType est « admin »."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -7167,17 +7261,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "Par défaut : vide"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -7186,7 +7280,7 @@ msgstr ""
 "être activée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -7198,12 +7292,12 @@ msgstr ""
 "correct."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "Les valeurs suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -7212,7 +7306,7 @@ msgstr ""
 "pour déterminer si le compte a expiré."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -7225,7 +7319,7 @@ msgstr ""
 "d'expiration du compte est aussi vérifiée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -7236,7 +7330,7 @@ msgstr ""
 "l'accès est autorisé ou non."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -7249,7 +7343,7 @@ msgstr ""
 "est autorisé. Si les deux attributs sont manquants, l'accès est autorisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -7260,24 +7354,24 @@ msgstr ""
 "ldap_account_expire_policy de fonctionner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Liste séparées par des virgules des options de contrôles d'accès. Les "
 "valeurs autorisées sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis> : utiliser ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -7287,14 +7381,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -7307,12 +7401,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: utiliser ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -7322,7 +7416,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -7332,20 +7426,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -7354,32 +7448,32 @@ msgstr ""
 "authorizedService pour déterminer l'accès"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis> : utilise l'attribut host pour déterminer l'accès"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Par défaut : filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -7388,12 +7482,12 @@ msgstr ""
 "de configuration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -7402,22 +7496,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Exemple : cn=ppolicy,ou=policies,dc=example,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -7426,12 +7520,12 @@ msgstr ""
 "recherche. Les options suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis> : les alias ne sont jamais déréférencés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -7441,7 +7535,7 @@ msgstr ""
 "recherche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -7450,7 +7544,7 @@ msgstr ""
 "la localisation de l'objet de base de la recherche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -7459,7 +7553,7 @@ msgstr ""
 "recherche et et la localisation de l'objet de base de la recherche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -7468,12 +7562,12 @@ msgstr ""
 "bibliothèques clientes LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -7482,7 +7576,7 @@ msgstr ""
 "LDAP pour les serveurs qui utilisent le schéma RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -7500,7 +7594,7 @@ msgstr ""
 "initgoups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -7511,50 +7605,50 @@ msgstr ""
 "ajoutent les utilisateurs locaux aux groupes LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "debug_level (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "debug_level (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 #, fuzzy
 #| msgid "Default: 0 (disabled)"
 msgid "Default: 0 (libldap debugging disabled)"
@@ -7573,12 +7667,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "OPTIONS DE SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -7586,12 +7680,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -7601,7 +7695,7 @@ msgstr ""
 "règles qui sont stockées sur le serveur)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -7610,24 +7704,24 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "Par défaut : 21600 (6 heures)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -7635,7 +7729,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -7644,7 +7738,7 @@ msgstr ""
 "modifyTimestamp est utilisé à la place."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -7654,21 +7748,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 #, fuzzy
 #| msgid "ldap_idmap_range_size (integer)"
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_idmap_range_size (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -7676,7 +7770,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -7684,17 +7778,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -7704,12 +7798,12 @@ msgstr ""
 "noms de systèmes)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -7718,7 +7812,7 @@ msgstr ""
 "doivent être utilisés pour filtrer les règles."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -7727,8 +7821,8 @@ msgstr ""
 "nom de système et le nom de domaine pleinement qualifié."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -7737,17 +7831,17 @@ msgstr ""
 "emphasis>, alors cette option n'a aucun effet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr "Par défaut : non spécifié"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -7756,7 +7850,7 @@ msgstr ""
 "IPv6 qui doivent être utilisés pour filtrer les règles."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -7765,12 +7859,12 @@ msgstr ""
 "automatiquement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -7779,12 +7873,12 @@ msgstr ""
 "netgroup dans l'attribut sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -7793,14 +7887,14 @@ msgstr ""
 "un joker dans l'attribut sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -7813,59 +7907,59 @@ msgstr ""
 "manvolnum></citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "OPTIONS AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "Le nom de la table de montage automatique maîtresse dans LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr "Par défaut : auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "OPTIONS AVANCÉES"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7874,22 +7968,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7898,14 +7992,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "EXEMPLE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7916,7 +8010,7 @@ msgstr ""
 "replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7936,27 +8030,27 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7982,13 +8076,13 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9085,7 +9179,7 @@ msgstr ""
 "pas pris en compte."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -10148,7 +10242,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (booléen)"
 
@@ -10163,7 +10257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -10185,12 +10279,12 @@ msgstr ""
 "configuration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -10217,12 +10311,12 @@ msgid "Default: 1200 (seconds)"
 msgstr "Par défaut : 1200 (secondes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -10250,17 +10344,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -10268,19 +10362,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_iface (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -10288,7 +10382,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -10298,7 +10392,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr "Active les sites DNS - découverte de service basée sur l'emplacement"
 
@@ -10323,7 +10417,7 @@ msgstr ""
 "seront utilisés comme serveurs de repli"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (entier)"
 
@@ -10340,12 +10434,12 @@ msgstr ""
 "configurée à true."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -10370,12 +10464,12 @@ msgid "Default: False (disabled)"
 msgstr "Par défaut : False (désactivé)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -10384,48 +10478,48 @@ msgstr ""
 "communication avec le serveur DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Par défaut : False (laisser nsupdate choisir le protocole)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -10577,26 +10671,26 @@ msgstr ""
 "convertit en DN de base pour effectuer les opérations LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -10615,7 +10709,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "Par défaut : 5 (secondes)"
 
@@ -11200,13 +11294,33 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -11215,7 +11329,7 @@ msgstr ""
 "n'est pas fourni, le nom de domaine de la configuration est utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -11224,7 +11338,7 @@ msgstr ""
 "domaine Active Directory, spécifié en minuscules."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -11233,12 +11347,12 @@ msgstr ""
 "autodétecté par SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -11246,7 +11360,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -11254,7 +11368,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -11262,19 +11376,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -11282,26 +11396,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -11310,7 +11424,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -11318,12 +11432,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -11341,12 +11455,12 @@ msgstr ""
 "utilisée pendant la découverte de site."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -11355,7 +11469,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -11364,7 +11478,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -11373,14 +11487,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -11393,7 +11507,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -11402,7 +11516,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -11420,24 +11534,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr "ad_site (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -11446,7 +11560,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -11455,12 +11569,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -11470,7 +11584,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -11479,7 +11593,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -11488,7 +11602,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -11498,21 +11612,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -11522,7 +11636,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -11537,23 +11651,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr "Il existe trois valeurs prises en charge pour cette option :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -11561,22 +11675,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr "Par défaut : permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -11587,7 +11701,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -11595,82 +11709,82 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "all users are allowed"
 msgstr "Les valeurs suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "only users in allow-rules are allowed"
 msgstr "Les valeurs suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 #, fuzzy
 #| msgid "ad_gpo_map_deny (string)"
 msgid "ad_gpo_implicit_deny = True"
 msgstr "ad_gpo_map_deny (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "no users are allowed"
 msgstr "Les valeurs suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -11680,12 +11794,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -11693,12 +11807,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -11714,14 +11828,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -11729,7 +11843,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11741,42 +11855,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -11792,7 +11906,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -11800,7 +11914,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -11808,7 +11922,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11820,22 +11934,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -11851,7 +11965,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -11859,7 +11973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -11867,7 +11981,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11879,22 +11993,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -11909,14 +12023,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -11924,7 +12038,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11936,23 +12050,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -11968,14 +12082,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -11983,7 +12097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -11994,19 +12108,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -12014,7 +12128,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -12026,29 +12140,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -12056,12 +12170,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -12074,57 +12188,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -12132,17 +12246,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -12152,17 +12266,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -12171,12 +12285,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -12187,14 +12301,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 #, fuzzy
 #| msgid "ldap_sudo_include_netgroups (boolean)"
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "ldap_sudo_include_netgroups (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -12205,7 +12319,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -12220,7 +12334,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -12232,7 +12346,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -12250,19 +12364,19 @@ msgstr ""
 "<quote>dyndns_iface</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr "Par défaut : 3600 (secondes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -12272,7 +12386,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -12283,7 +12397,7 @@ msgstr ""
 "exemples montrent seulement les options spécifiques au fournisseur AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -12307,7 +12421,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -12319,7 +12433,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -12330,7 +12444,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -12340,7 +12454,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -18593,32 +18707,47 @@ msgstr "Creator Authority"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
+#, fuzzy
+#| msgid "Creator Authority"
+msgid "Mandatory Label Authority"
+msgstr "Creator Authority"
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:295
+#, fuzzy
+#| msgid "Creator Authority"
+msgid "Authentication Authority"
+msgstr "Creator Authority"
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
 msgid "NT Authority"
 msgstr "NT Authority"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
-#: include/ldap_id_mapping.xml:295
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr "Built-in"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -19363,13 +19492,38 @@ msgstr ""
 "keytab appropriée comme dernière ou comme seule entrée dans le fichier "
 "keytab."
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+#, fuzzy
+#| msgid "Default: false (AD provider: true)"
+msgid "Default: false (IPA and AD provider: true)"
+msgstr "Par défaut : false (AD provider : true)"
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"Se reporter au paramètre <quote>dns_discovery_domain</quote> dans la page de "
+"manuel <citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> pour plus de détails."
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (chaîne)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
@@ -19378,36 +19532,36 @@ msgstr ""
 "entier immédiatement suivi par une unité de temps :"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr "<emphasis>s</emphasis> pour secondes"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr "<emphasis>m</emphasis> pour minutes"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr "<emphasis>h</emphasis> pour heures"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr "<emphasis>d</emphasis> pour jours."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
@@ -19417,18 +19571,18 @@ msgstr ""
 "de « 1h30m »."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 "Par défaut : non défini, c'est-à-dire que le TGT n'est pas renouvelable"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (chaîne)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
@@ -19437,12 +19591,12 @@ msgstr ""
 "suivi par une unité de temps :"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
@@ -19451,7 +19605,7 @@ msgstr ""
 "de vie de une heure et trente minutes, utiliser « 90m » au lieu de « 1h30m »."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
@@ -19459,12 +19613,12 @@ msgstr ""
 "dans le KDC."
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr "krb5_renew_interval (chaîne)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -19476,14 +19630,14 @@ msgstr ""
 "de temps :"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 "Si cette option n'est pas définie ou définie à 0, le renouvellement "
 "automatique est désactivé."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/ja.po b/src/man/po/ja.po
index 5e6a77267ce..bfd31119ff4 100644
--- a/src/man/po/ja.po
+++ b/src/man/po/ja.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2021-07-20 07:04+0000\n"
 "Last-Translator: Ludek Janda <ljanda@redhat.com>\n"
 "Language-Team: Japanese <https://translate.fedoraproject.org/projects/sssd/"
@@ -220,10 +220,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "初期値: true"
 
@@ -241,12 +241,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "初期値: false"
 
@@ -280,8 +280,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -311,7 +311,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "初期値: 10"
 
@@ -391,8 +391,8 @@ msgstr ""
 "める前に試行する回数です。"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "初期値: 3"
 
@@ -413,7 +413,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (文字列)"
 
@@ -433,12 +433,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -449,39 +449,39 @@ msgstr ""
 "manvolnum> </citerefentry> 互換形式。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "ユーザー名"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr "SSSD 設定ファイルにおいて指定されるドメイン名。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -636,11 +636,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "初期値: 設定されません"
 
@@ -914,8 +914,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1074,7 +1074,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "初期値: 60"
 
@@ -1184,7 +1184,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "初期値: 300"
 
@@ -1596,7 +1596,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1624,8 +1624,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "初期値: 6"
@@ -1961,7 +1961,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr "パスワードの期限が切れる前に N 日間警告を表示します。"
 
@@ -1976,7 +1976,7 @@ msgstr ""
 "ことに注意してください。この情報がなければ、sssd は警告を表示します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1990,7 +1990,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "初期値: 0"
 
@@ -2053,8 +2053,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "初期値: none"
 
@@ -2119,9 +2119,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "初期値: 偽"
 
@@ -2136,7 +2136,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2239,48 +2239,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2398,7 +2398,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2439,7 +2439,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2449,7 +2449,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2469,7 +2469,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "初期値: True"
@@ -2838,25 +2838,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "ldap_schema (文字列)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2864,73 +2875,77 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"以下の拡張モジュールがサポートされます: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2940,66 +2955,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3010,17 +3025,17 @@ msgstr ""
 "の可能性がある場合には、その後になります。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3031,7 +3046,7 @@ msgstr ""
 "文字の変更などの可能性がある場合には、その後になります。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3040,64 +3055,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "simple_deny_users (string)"
 msgid "exclude_users (string)"
 msgstr "simple_deny_users (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No users excluded."
 msgstr "初期値: 空、つまり ldap_uri が使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "simple_deny_groups (string)"
 msgid "exclude_groups (string)"
 msgstr "simple_deny_groups (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No groups excluded."
 msgstr "初期値: 空、つまり ldap_uri が使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "ドメインセクション"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3107,12 +3122,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3121,14 +3136,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3137,31 +3152,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3170,7 +3185,7 @@ msgstr ""
 "トリーを含む場合、それは無視されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3182,24 +3197,24 @@ msgstr ""
 "バーに対して、範囲内にあるものは予期されたものとして報告されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "初期値: min_id は 1, max_id は 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3208,29 +3223,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = ユーザーとグループが列挙されます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = このドメインに対して列挙しません"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "初期値: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3244,7 +3259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3253,7 +3268,7 @@ msgstr ""
 "れが完了するまで結果を返しません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3266,39 +3281,39 @@ msgstr ""
 "てください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3307,12 +3322,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3321,7 +3336,7 @@ msgstr ""
 "数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3332,17 +3347,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "初期値: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -3351,19 +3366,19 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "初期値: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -3372,12 +3387,12 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -3386,12 +3401,12 @@ msgstr ""
 "有効であると考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -3400,48 +3415,48 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -3450,31 +3465,31 @@ msgstr ""
 "秒キャッシュするか。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3483,17 +3498,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3505,36 +3520,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "初期値: 0 (無効)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "ユーザーのクレディンシャルがローカル LDB キャッシュにキャッシュされるかどうか"
 "を決めます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "ユーザーのクレディンシャルが、平文ではなく SHA512 ハッシュで保存されます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3545,19 +3560,19 @@ msgstr ""
 "に保存する必要がある最小の長さを決定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3569,17 +3584,17 @@ msgstr ""
 "offline_credentials_expiration と同等以上でなければいけません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "初期値: 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3588,17 +3603,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "初期値: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -3606,12 +3621,12 @@ msgstr ""
 "ダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3619,7 +3634,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3630,8 +3645,8 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3644,8 +3659,8 @@ msgstr ""
 "い。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3656,12 +3671,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -3670,7 +3685,7 @@ msgstr ""
 "名形式により整形されたように) を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3683,7 +3698,7 @@ msgstr ""
 "んが、<command>getent passwd test@LOCAL</command> は見つけられます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3691,24 +3706,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3720,20 +3735,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -3742,7 +3768,7 @@ msgstr ""
 "ダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3753,7 +3779,7 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3764,19 +3790,19 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 "<quote>proxy</quote> はいくつかの他の PAM ターゲットに認証を中継します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> は明示的に認証を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -3785,12 +3811,12 @@ msgstr ""
 "ならば、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3801,7 +3827,7 @@ msgstr ""
 "えます）。内部の特別プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -3810,12 +3836,12 @@ msgstr ""
 "ロバイダーのみアクセスが許可されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> は常にアクセスを拒否します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3828,7 +3854,7 @@ msgstr ""
 "citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3836,22 +3862,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "初期値: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -3860,7 +3886,7 @@ msgstr ""
 "パスワード変更プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3868,7 +3894,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3879,7 +3905,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -3887,12 +3913,12 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> は明示的にパスワードの変更を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -3901,19 +3927,19 @@ msgstr ""
 "うことができるならば、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "ドメインに使用される SUDO プロバイダーです。サポートされる SUDO プロバイダー"
 "は次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3924,33 +3950,33 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> は SUDO を明示的に無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "初期値: <quote>id_provider</quote> の値が設定されていると使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3961,7 +3987,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3970,12 +3996,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3983,7 +4009,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3991,31 +4017,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4023,7 +4049,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4032,17 +4058,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> はサブドメインの取り出しを明示的に無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4050,37 +4076,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -4088,7 +4114,7 @@ msgstr ""
 "プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4099,7 +4125,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4110,7 +4136,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4118,17 +4144,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> は明示的に autofs を無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -4137,7 +4163,7 @@ msgstr ""
 "hostid プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4148,31 +4174,31 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> は明示的に hostid を無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4180,7 +4206,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4189,12 +4215,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4204,7 +4230,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -4213,29 +4239,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr "domain\\username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4246,17 +4272,17 @@ msgstr ""
 "everything after that\" に解釈されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "初期値: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -4265,95 +4291,93 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "サポートする値:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: IPv4 アドレスの検索を試行します。失敗すると IPv6 を試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only: ホスト名を IPv4 アドレスに名前解決することのみを試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: IPv6 アドレスの検索を試行します。失敗すると IPv4 を試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only: ホスト名を IPv6 アドレスに名前解決することのみを試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "初期値: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "初期値: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4362,12 +4386,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -4376,52 +4400,52 @@ msgstr ""
 "イン部分を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "初期値: マシンのホスト名のドメイン部分を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr "プライマリー GID の値を指定されたもので上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4429,14 +4453,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder "
@@ -4449,24 +4473,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4474,51 +4491,128 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr ""
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_expire_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout (integer)"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_expire_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_expire_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4526,27 +4620,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "サブドメインのフラット (NetBIOS) 名。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4556,35 +4650,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 "値は <emphasis>override_homedir</emphasis> オプションにより上書きできます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "初期値: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr "このドメインのための realmd 設定サービスによって格納された様々なタグ。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4593,19 +4687,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4613,24 +4707,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4639,24 +4733,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4666,14 +4760,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4681,21 +4775,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4703,7 +4797,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4712,7 +4806,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4721,7 +4815,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4732,17 +4826,17 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "中継するプロキシターゲット PAM です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -4751,12 +4845,12 @@ msgstr ""
 "をここに追加する必要があります。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4767,12 +4861,12 @@ msgstr ""
 "_nss_files_getpwent です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4780,12 +4874,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4794,12 +4888,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4807,7 +4901,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -4816,12 +4910,12 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4838,7 +4932,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4846,17 +4940,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4865,7 +4959,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4875,7 +4969,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4895,12 +4989,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4911,69 +5005,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4986,7 +5080,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4994,7 +5088,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -5003,55 +5097,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5060,17 +5154,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5078,26 +5172,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -5106,17 +5200,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -5126,7 +5220,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -5135,59 +5229,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -5196,7 +5290,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -5205,7 +5299,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -5214,7 +5308,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -5222,12 +5316,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5281,7 +5375,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -5290,7 +5384,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -5298,7 +5392,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -5309,7 +5403,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5323,7 +5417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5398,7 +5492,7 @@ msgstr ""
 "オプションを参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5506,7 +5600,7 @@ msgstr ""
 "な LDAP 検索フィルターである必要があります。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "例:"
@@ -5730,12 +5824,12 @@ msgstr ""
 "SSSD が列挙レコードのキャッシュを更新する前に待つ必要がある秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5746,7 +5840,7 @@ msgstr ""
 "削除する間隔を決めます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5755,12 +5849,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5771,7 +5865,7 @@ msgstr ""
 "のオプションは RFC2307 スキーマにおいて効果がありません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5781,7 +5875,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5791,36 +5885,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "初期値: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "オプションです。ホストオブジェクトの検索ベースとして与えられた文字列を使用し"
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5830,32 +5924,32 @@ msgstr ""
 "してください。"
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "初期値: <emphasis>ldap_search_base</emphasis> の値"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5863,7 +5957,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5874,12 +5968,12 @@ msgstr ""
 "かもしれません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5887,12 +5981,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5908,12 +6002,12 @@ msgstr ""
 "citerefentry> が未使用を返した後のタイムアウト（秒単位）を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5922,12 +6016,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5936,7 +6030,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5947,38 +6041,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "初期値: 900 (15 分)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5986,17 +6080,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -6005,12 +6099,12 @@ msgstr ""
 "バーは 1 要求あたりの最大数の制限を強制します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -6021,7 +6115,7 @@ msgstr ""
 "ことを報告する場合に、このオプションが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -6031,7 +6125,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -6042,17 +6136,17 @@ msgstr ""
 "があります。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr "Active Directory の範囲の取得を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -6062,12 +6156,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -6075,17 +6169,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -6093,12 +6187,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -6106,7 +6200,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -6117,7 +6211,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -6126,7 +6220,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -6134,12 +6228,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -6147,7 +6241,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -6155,12 +6249,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -6169,7 +6263,7 @@ msgstr ""
 "クするものを指定します。以下の値のうち 1 つを指定できます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -6178,7 +6272,7 @@ msgstr ""
 "確認しません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6189,7 +6283,7 @@ msgstr ""
 "無視され、セッションが通常通り進められます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -6200,7 +6294,7 @@ msgstr ""
 "ンが直ちに終了します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -6210,22 +6304,22 @@ msgstr ""
 "なければ、もしくは不正な証明書が提供されれば、セッションが直ちに終了します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = <quote>demand</quote> と同じです"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "初期値: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -6235,7 +6329,7 @@ msgstr ""
 "書を含むファイルを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -6244,12 +6338,12 @@ msgstr ""
 "filename> にあります"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -6262,32 +6356,32 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "クライアントのキーに対する証明書を含むファイルを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr "クライアントのキーを含むファイルを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -6295,12 +6389,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -6309,12 +6403,12 @@ msgstr ""
 "用する必要がある id_provider 接続を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -6322,18 +6416,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "この機能は現在 ActiveDirectory objectSID マッピングのみサポートします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -6344,24 +6438,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -6372,12 +6466,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -6390,7 +6484,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6402,17 +6496,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr "初期値: host/hostname@REALM"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6420,17 +6514,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "初期値: krb5_realm の値"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -6439,33 +6533,33 @@ msgstr ""
 "するために逆引きを実行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "初期値: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "初期値: システムのキーテーブル、通常 <filename>/etc/krb5.keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6473,28 +6567,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "初期値: 86400 (24 時間)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6506,7 +6600,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6517,7 +6611,7 @@ msgstr ""
 "ば _tcp にフォールバックします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6528,27 +6622,27 @@ msgstr ""
 "quote> を使用するよう設定ファイルを移行することが推奨されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr "初期値: システムの初期値、<filename>/etc/krb5.conf</filename> 参照。"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -6557,12 +6651,12 @@ msgstr ""
 "します。この機能は MIT Kerberos >= 1.7 で利用可能です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6572,7 +6666,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6583,12 +6677,12 @@ msgstr ""
 "manvolnum> </citerefentry> マニュアルページを参照ください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -6597,7 +6691,7 @@ msgstr ""
 "す。以下の値が許容されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -6606,7 +6700,7 @@ msgstr ""
 "ンはサーバー側のパスワードポリシーを無効にできません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 #, fuzzy
 #| msgid ""
 #| "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
@@ -6623,7 +6717,7 @@ msgstr ""
 "manvolnum></citerefentry> 形式の属性を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6634,24 +6728,24 @@ msgstr ""
 "とき、これらの属性を更新するために chpass_provider=krb5 を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr "自動参照追跡が有効化されるかを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -6660,7 +6754,7 @@ msgstr ""
 "sssd のみが参照追跡をサポートすることに注意してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6673,28 +6767,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "サービス検索が有効にされているときに使用するサービスの名前を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "初期値: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -6703,24 +6797,24 @@ msgstr ""
 "を検索するために使用するサービスの名前を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6729,12 +6823,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6750,12 +6844,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "例:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6764,14 +6858,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6780,17 +6874,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "初期値: 空白"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -6799,7 +6893,7 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6810,12 +6904,12 @@ msgstr ""
 "否します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "以下の値が許可されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -6824,7 +6918,7 @@ msgstr ""
 "ldap_user_shadow_expire の値を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6833,7 +6927,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6844,7 +6938,7 @@ msgstr ""
 "ldap_ns_account_lock の値を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6857,7 +6951,7 @@ msgstr ""
 "クセスが許可されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6865,23 +6959,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "アクセス制御オプションのカンマ区切り一覧です。許可される値は次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: ldap_access_filter を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6891,14 +6985,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6911,12 +7005,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: ldap_account_expire_policy を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6926,7 +7020,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6936,20 +7030,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -6958,44 +7052,44 @@ msgstr ""
 "authorizedService 属性を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: アクセス権を決めるために host 属性を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "初期値: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr "値が複数使用されていると設定エラーになることに注意してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -7004,22 +7098,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -7028,12 +7122,12 @@ msgstr ""
 "ションが許容されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis>: エイリアスが参照解決されません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -7042,7 +7136,7 @@ msgstr ""
 "決されますが、検索のベースオブジェクトの位置を探すときはされません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -7051,7 +7145,7 @@ msgstr ""
 "すときのみ参照解決されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -7060,7 +7154,7 @@ msgstr ""
 "きも位置を検索するときも参照解決されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -7069,12 +7163,12 @@ msgstr ""
 "して取り扱われます）"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -7083,7 +7177,7 @@ msgstr ""
 "ユーザーを保持することができます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -7094,7 +7188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -7102,50 +7196,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "debug_level (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "debug_level (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 #, fuzzy
 #| msgid "Default: 0 (disabled)"
 msgid "Default: 0 (libldap debugging disabled)"
@@ -7164,12 +7258,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "SUDO オプション"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -7177,19 +7271,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -7198,24 +7292,24 @@ msgstr ""
 "ります"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "初期値: 21600 (6 時間)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -7223,14 +7317,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -7240,21 +7334,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 #, fuzzy
 #| msgid "ldap_idmap_range_size (integer)"
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_idmap_range_size (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -7262,7 +7356,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -7270,29 +7364,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -7301,15 +7395,15 @@ msgstr ""
 "区切り一覧です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -7318,17 +7412,17 @@ msgstr ""
 "ならば、このオプションは効果を持ちません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr "初期値: 指定なし"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -7337,7 +7431,7 @@ msgstr ""
 "アドレスの空白区切り一覧です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -7345,38 +7439,38 @@ msgstr ""
 "このオプションが空白ならば、SSSD は自動的にアドレスを検索しようとします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -7388,59 +7482,59 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してください"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "AUTOFS オプション"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "LDAP のオートマウントマスターマップの名前。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "高度なオプション"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7449,22 +7543,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7473,14 +7567,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "例"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7491,7 +7585,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7504,27 +7598,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7540,13 +7634,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "注記"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8624,7 +8718,7 @@ msgstr ""
 "ンの中のグループのみに適用されます。ローカルグループは評価されません。"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9671,7 +9765,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (論理値)"
 
@@ -9686,7 +9780,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9704,12 +9798,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9730,12 +9824,12 @@ msgid "Default: 1200 (seconds)"
 msgstr "初期値: 1200 (秒)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9759,17 +9853,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9777,19 +9871,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_iface (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9797,7 +9891,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9807,7 +9901,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr "DNS サイトの有効化 - 位置情報に基づいたサービス探索。"
 
@@ -9824,7 +9918,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (整数)"
 
@@ -9837,12 +9931,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9861,12 +9955,12 @@ msgid "Default: False (disabled)"
 msgstr "初期値: False (無効)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -9875,48 +9969,48 @@ msgstr ""
 "どうか。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -10066,26 +10160,26 @@ msgstr ""
 "めに使用するベース DN に変換されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -10104,7 +10198,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "初期値: 5 (秒)"
 
@@ -10663,13 +10757,33 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -10678,7 +10792,7 @@ msgstr ""
 "ければ、設定のドメイン名が使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -10687,19 +10801,19 @@ msgstr ""
 "ンの小文字バージョンとして指定されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10707,7 +10821,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10715,7 +10829,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10723,19 +10837,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10743,26 +10857,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10771,7 +10885,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10779,12 +10893,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10795,12 +10909,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10809,7 +10923,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10818,7 +10932,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10827,14 +10941,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10847,7 +10961,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10856,7 +10970,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10874,24 +10988,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10900,7 +11014,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10909,12 +11023,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10924,7 +11038,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10933,7 +11047,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10942,7 +11056,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10952,21 +11066,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10976,7 +11090,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10991,23 +11105,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -11015,22 +11129,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -11041,7 +11155,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -11049,80 +11163,80 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "all users are allowed"
 msgstr "以下の値が許可されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "only users in allow-rules are allowed"
 msgstr "以下の値が許可されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "no users are allowed"
 msgstr "以下の値が許可されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -11132,12 +11246,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -11145,12 +11259,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -11166,14 +11280,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -11181,7 +11295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11193,42 +11307,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -11244,7 +11358,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -11252,7 +11366,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -11260,7 +11374,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11272,22 +11386,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -11303,7 +11417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -11311,7 +11425,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -11319,7 +11433,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11331,22 +11445,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -11361,14 +11475,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -11376,7 +11490,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11388,23 +11502,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -11420,14 +11534,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -11435,7 +11549,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -11446,19 +11560,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -11466,7 +11580,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -11478,29 +11592,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -11508,12 +11622,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -11526,57 +11640,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -11584,17 +11698,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -11604,17 +11718,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11623,12 +11737,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11639,14 +11753,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 #, fuzzy
 #| msgid "ldap_sudo_include_netgroups (boolean)"
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "ldap_sudo_include_netgroups (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11657,7 +11771,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11672,7 +11786,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11684,7 +11798,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11695,19 +11809,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr "初期値: 3600 (秒)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11717,7 +11831,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11728,7 +11842,7 @@ msgstr ""
 "AD プロバイダー固有のオプションのみ示してします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11752,7 +11866,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11764,7 +11878,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11772,7 +11886,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11782,7 +11896,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -17752,32 +17866,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -18461,49 +18586,72 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> マニュアルページにある "
+"<quote>dns_discovery_domain</quote> パラメーターを参照してください。"
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (文字列)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr "秒は <emphasis>s</emphasis>"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr "分は <emphasis>m</emphasis>"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr "時間は <emphasis>h</emphasis>"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr "日は <emphasis>d</emphasis>"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
@@ -18512,29 +18660,29 @@ msgstr ""
 "指定したい場合、'1h30m' の代わりに '90m' を使用します。"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr "初期値: 設定されません、つまり TGT は更新可能ではありません"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (文字列)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
@@ -18543,7 +18691,7 @@ msgstr ""
 "指定したい場合、'1h30m' の代わりに '90m' を使用してください。"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
@@ -18551,12 +18699,12 @@ msgstr ""
 "期値です。"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr "krb5_renew_interval (文字列)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -18564,14 +18712,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 "このオプションが設定されていない場合、または 0 に設定されている場合、自動更新"
 "は無効になります。"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/lv.po b/src/man/po/lv.po
index 8c7864dd9b6..e4e3376f730 100644
--- a/src/man/po/lv.po
+++ b/src/man/po/lv.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2014-12-15 12:00-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Latvian (http://www.transifex.com/projects/p/sssd/language/"
@@ -208,10 +208,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr ""
 
@@ -229,12 +229,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr ""
 
@@ -266,8 +266,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -297,7 +297,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Noklusējuma: 10"
 
@@ -373,8 +373,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr ""
 
@@ -395,7 +395,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -415,12 +415,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -428,39 +428,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -598,11 +598,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -868,8 +868,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1016,7 +1016,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Noklusējuma: 60"
 
@@ -1126,7 +1126,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Noklusējuma: 300"
 
@@ -1497,7 +1497,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1525,8 +1525,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Noklusējuma: 6"
@@ -1838,7 +1838,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1851,7 +1851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1865,7 +1865,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1928,8 +1928,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -1994,9 +1994,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -2011,7 +2011,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2107,48 +2107,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2266,7 +2266,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2300,7 +2300,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2310,7 +2310,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2330,7 +2330,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2690,25 +2690,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2716,73 +2727,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2792,66 +2801,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2859,17 +2868,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2877,7 +2886,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2886,56 +2895,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2945,12 +2954,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2959,14 +2968,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2975,38 +2984,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3015,24 +3024,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3041,29 +3050,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3077,14 +3086,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3093,39 +3102,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3134,19 +3143,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3157,139 +3166,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3298,17 +3307,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3320,33 +3329,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3354,19 +3363,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3375,17 +3384,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Noklusējuma: 0 (neierobežots)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3394,28 +3403,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3423,7 +3432,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3431,8 +3440,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3441,8 +3450,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3450,19 +3459,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3471,7 +3480,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3479,24 +3488,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3508,27 +3517,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3536,7 +3556,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3544,30 +3564,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3575,19 +3595,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3596,7 +3616,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3604,29 +3624,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "Noklusējuma: <quote>atļaut</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3634,7 +3654,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3642,35 +3662,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3678,32 +3698,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3714,7 +3734,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3723,12 +3743,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3736,7 +3756,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3744,31 +3764,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3776,7 +3796,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3785,17 +3805,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3803,43 +3823,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3847,7 +3867,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3855,7 +3875,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3863,24 +3883,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3888,31 +3908,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3920,7 +3940,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3929,12 +3949,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3944,7 +3964,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3953,29 +3973,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3983,108 +4003,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Noklusējuma: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "Atbalstītās vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4093,64 +4111,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4158,38 +4176,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4197,49 +4208,114 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "noildze (vesels skaitlis)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "noildze (vesels skaitlis)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "noildze (vesels skaitlis)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "noildze (vesels skaitlis)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "noildze (vesels skaitlis)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4247,27 +4323,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4277,34 +4353,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4313,19 +4389,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4333,24 +4409,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4359,24 +4435,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4386,14 +4462,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4401,21 +4477,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4423,7 +4499,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4432,7 +4508,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4441,7 +4517,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4449,29 +4525,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4479,12 +4555,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4492,12 +4568,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4506,12 +4582,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4519,19 +4595,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4548,7 +4624,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4556,17 +4632,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4575,7 +4651,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4585,7 +4661,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4605,12 +4681,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4621,69 +4697,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4696,7 +4772,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4704,7 +4780,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4713,55 +4789,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4770,17 +4846,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4788,26 +4864,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4816,17 +4892,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4836,7 +4912,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4845,59 +4921,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4906,7 +4982,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4915,7 +4991,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4924,7 +5000,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4932,12 +5008,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4967,7 +5043,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4976,7 +5052,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4984,7 +5060,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4995,7 +5071,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5009,7 +5085,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5072,7 +5148,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5173,7 +5249,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5389,12 +5465,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5402,7 +5478,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5411,12 +5487,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5424,7 +5500,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5434,7 +5510,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5444,34 +5520,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5479,32 +5555,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5512,7 +5588,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5520,12 +5596,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5533,12 +5609,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5549,12 +5625,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5563,12 +5639,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5577,7 +5653,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5588,38 +5664,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5627,29 +5703,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5657,14 +5733,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5672,17 +5748,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5692,12 +5768,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5705,17 +5781,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5723,12 +5799,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5736,7 +5812,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5747,7 +5823,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5756,7 +5832,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5764,12 +5840,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5777,7 +5853,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5785,26 +5861,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5812,7 +5888,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5820,7 +5896,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5828,41 +5904,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5871,32 +5947,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5904,24 +5980,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5929,17 +6005,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5950,24 +6026,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5978,12 +6054,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5996,7 +6072,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6008,17 +6084,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6026,49 +6102,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6076,28 +6152,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Noklusējuma: 86400 (24 stundas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6109,7 +6185,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6117,7 +6193,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6125,39 +6201,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6167,7 +6243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6175,26 +6251,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6203,7 +6279,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6211,31 +6287,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6248,51 +6324,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "Noklusējuma: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6301,12 +6377,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6322,12 +6398,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Piemērs:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6336,14 +6412,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6352,24 +6428,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6377,19 +6453,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "Atļautas šādas vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6398,7 +6474,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6406,7 +6482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6415,7 +6491,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6423,22 +6499,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6448,14 +6524,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6468,12 +6544,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6483,7 +6559,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6493,63 +6569,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Noklusējuma: filtrēt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6558,74 +6634,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6636,7 +6712,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6644,48 +6720,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6702,12 +6778,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6715,43 +6791,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6759,14 +6835,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6776,19 +6852,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6796,7 +6872,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6804,106 +6880,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6912,59 +6988,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "PAPLAŠINĀTĀS IESPĒJAS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6973,22 +7049,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6997,14 +7073,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "PIEMĒRS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7012,7 +7088,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7025,27 +7101,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7061,13 +7137,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "PIEZĪMES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8075,7 +8151,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9102,7 +9178,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9117,7 +9193,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9132,12 +9208,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9158,12 +9234,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9187,17 +9263,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9205,17 +9281,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9223,7 +9299,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9233,7 +9309,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9250,7 +9326,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9263,12 +9339,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9287,60 +9363,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9471,26 +9547,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9509,7 +9585,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10060,39 +10136,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10100,7 +10196,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10108,7 +10204,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10116,19 +10212,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10136,26 +10232,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10164,7 +10260,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10172,12 +10268,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10188,12 +10284,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10202,7 +10298,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10211,7 +10307,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10220,14 +10316,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10240,7 +10336,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10249,7 +10345,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10267,24 +10363,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10293,7 +10389,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10302,12 +10398,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10317,7 +10413,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10326,7 +10422,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10335,7 +10431,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10345,21 +10441,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10369,7 +10465,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10384,23 +10480,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10408,22 +10504,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10434,7 +10530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10442,80 +10538,80 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "all users are allowed"
 msgstr "Atļautas šādas vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "only users in allow-rules are allowed"
 msgstr "Atļautas šādas vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "no users are allowed"
 msgstr "Atļautas šādas vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10525,12 +10621,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10538,12 +10634,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10559,14 +10655,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10574,7 +10670,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10586,42 +10682,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10637,7 +10733,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10645,7 +10741,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10653,7 +10749,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10665,22 +10761,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10696,7 +10792,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10704,7 +10800,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10712,7 +10808,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10724,22 +10820,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10754,14 +10850,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10769,7 +10865,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10781,23 +10877,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10813,14 +10909,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10828,7 +10924,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10839,19 +10935,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10859,7 +10955,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10871,29 +10967,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10901,12 +10997,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10919,57 +11015,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10977,17 +11073,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -10997,17 +11093,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11016,12 +11112,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11032,12 +11128,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11048,7 +11144,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11063,7 +11159,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11075,7 +11171,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11086,19 +11182,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11108,7 +11204,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11116,7 +11212,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11131,7 +11227,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11140,7 +11236,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11148,7 +11244,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11158,7 +11254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16822,32 +16918,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17518,96 +17625,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17615,12 +17737,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/nl.po b/src/man/po/nl.po
index a916003a9cb..bcef344f6d3 100644
--- a/src/man/po/nl.po
+++ b/src/man/po/nl.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2014-12-15 12:02-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/"
@@ -217,10 +217,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Standaard: true"
 
@@ -238,12 +238,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr ""
 
@@ -277,8 +277,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -308,7 +308,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -388,8 +388,8 @@ msgstr ""
 "Data Aanbieder crashed of opnieuw start voordat dit opgegeven wordt"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Standaard: 3"
 
@@ -410,7 +410,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (tekst)"
 
@@ -430,12 +430,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -443,39 +443,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -623,11 +623,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -893,8 +893,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1041,7 +1041,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1149,7 +1149,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1526,7 +1526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1554,8 +1554,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1871,7 +1871,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1884,7 +1884,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1898,7 +1898,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Standaard: 0"
 
@@ -1961,8 +1961,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -2027,9 +2027,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -2044,7 +2044,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2142,48 +2142,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2301,7 +2301,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2335,7 +2335,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2345,7 +2345,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2365,7 +2365,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2727,25 +2727,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "re_expression (tekst)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2753,73 +2764,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2829,66 +2838,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2896,17 +2905,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2914,7 +2923,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2923,58 +2932,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "exclude_users (string)"
 msgstr "re_expression (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2984,12 +2993,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2998,14 +3007,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3014,38 +3023,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3054,24 +3063,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3080,29 +3089,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3116,14 +3125,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3132,39 +3141,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3173,19 +3182,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3196,139 +3205,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3337,17 +3346,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3359,33 +3368,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3393,19 +3402,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3414,17 +3423,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3433,28 +3442,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3462,7 +3471,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3470,8 +3479,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3480,8 +3489,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3489,19 +3498,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3510,7 +3519,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3518,24 +3527,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3547,27 +3556,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3575,7 +3595,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3583,30 +3603,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3614,19 +3634,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3635,7 +3655,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3643,29 +3663,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3673,7 +3693,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3681,35 +3701,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3717,32 +3737,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3753,7 +3773,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3762,12 +3782,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3775,7 +3795,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3783,31 +3803,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3815,7 +3835,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3824,17 +3844,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3842,43 +3862,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3886,7 +3906,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3894,7 +3914,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3902,24 +3922,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3927,31 +3947,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3959,7 +3979,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3968,12 +3988,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3983,7 +4003,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3992,29 +4012,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4025,108 +4045,106 @@ msgstr ""
 "het domein alles daarna\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Standaard: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "entry_negative_timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "entry_negative_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "entry_negative_timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "entry_negative_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4135,64 +4153,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4200,38 +4218,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4239,49 +4250,114 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "enum_cache_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "enum_cache_timeout (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "reconnection_retries (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "reconnection_retries (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "reconnection_retries (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "reconnection_retries (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4289,27 +4365,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4319,34 +4395,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4355,19 +4431,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4375,24 +4451,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4401,24 +4477,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4428,14 +4504,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4443,21 +4519,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4465,7 +4541,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4474,7 +4550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4483,7 +4559,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4491,29 +4567,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4521,12 +4597,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4534,12 +4610,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4548,12 +4624,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4561,19 +4637,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4590,7 +4666,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4598,17 +4674,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4617,7 +4693,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4627,7 +4703,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4647,12 +4723,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4663,69 +4739,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4738,7 +4814,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4746,7 +4822,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4755,55 +4831,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4812,17 +4888,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4830,26 +4906,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4858,17 +4934,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4878,7 +4954,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4887,59 +4963,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4948,7 +5024,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4957,7 +5033,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4966,7 +5042,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4974,12 +5050,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5009,7 +5085,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -5018,7 +5094,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -5026,7 +5102,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -5037,7 +5113,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5051,7 +5127,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5114,7 +5190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5215,7 +5291,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5431,12 +5507,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5444,7 +5520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5453,12 +5529,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5466,7 +5542,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5476,7 +5552,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5486,34 +5562,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5521,32 +5597,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5554,7 +5630,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5562,12 +5638,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5575,12 +5651,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5591,12 +5667,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5605,12 +5681,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5619,7 +5695,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5630,38 +5706,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "reconnection_retries (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "reconnection_retries (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5669,29 +5745,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5699,14 +5775,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5714,17 +5790,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5734,12 +5810,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5747,17 +5823,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5765,12 +5841,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5778,7 +5854,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5789,7 +5865,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5798,7 +5874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5806,12 +5882,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5819,7 +5895,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5827,26 +5903,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5854,7 +5930,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5862,7 +5938,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5870,41 +5946,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5913,32 +5989,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5946,24 +6022,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5971,17 +6047,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5992,24 +6068,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -6020,12 +6096,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -6038,7 +6114,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6050,17 +6126,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6068,49 +6144,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6118,28 +6194,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6151,7 +6227,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6159,7 +6235,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6167,39 +6243,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6209,7 +6285,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6217,26 +6293,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6245,7 +6321,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6253,31 +6329,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6290,51 +6366,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6343,12 +6419,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6364,12 +6440,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6378,14 +6454,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6394,24 +6470,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6419,19 +6495,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6440,7 +6516,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6448,7 +6524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6457,7 +6533,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6465,22 +6541,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6490,14 +6566,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6510,12 +6586,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6525,7 +6601,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6535,63 +6611,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6600,74 +6676,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6678,7 +6754,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6686,50 +6762,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "debug_level (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "debug_level (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6746,12 +6822,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6759,43 +6835,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6803,14 +6879,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6820,19 +6896,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6840,7 +6916,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6848,106 +6924,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6956,59 +7032,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7017,22 +7093,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7041,14 +7117,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7056,7 +7132,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7069,27 +7145,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7105,13 +7181,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8125,7 +8201,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9152,7 +9228,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9167,7 +9243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9182,12 +9258,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9208,12 +9284,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9237,17 +9313,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9255,17 +9331,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9273,7 +9349,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9283,7 +9359,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9300,7 +9376,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9313,12 +9389,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9337,60 +9413,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9521,26 +9597,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9559,7 +9635,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10110,39 +10186,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10150,7 +10246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10158,7 +10254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10166,19 +10262,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10186,26 +10282,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10214,7 +10310,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10222,12 +10318,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10238,12 +10334,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10252,7 +10348,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10261,7 +10357,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10270,14 +10366,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10290,7 +10386,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10299,7 +10395,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10317,24 +10413,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10343,7 +10439,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10352,12 +10448,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10367,7 +10463,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10376,7 +10472,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10385,7 +10481,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10395,21 +10491,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10419,7 +10515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10434,23 +10530,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10458,22 +10554,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10484,7 +10580,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10492,74 +10588,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10569,12 +10665,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10582,12 +10678,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10603,14 +10699,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10618,7 +10714,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10630,42 +10726,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10681,7 +10777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10689,7 +10785,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10697,7 +10793,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10709,22 +10805,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10740,7 +10836,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10748,7 +10844,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10756,7 +10852,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10768,22 +10864,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10798,14 +10894,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10813,7 +10909,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10825,23 +10921,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10857,14 +10953,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10872,7 +10968,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10883,19 +10979,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10903,7 +10999,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10915,29 +11011,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10945,12 +11041,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10963,57 +11059,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -11021,17 +11117,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -11041,17 +11137,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11060,12 +11156,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11076,12 +11172,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11092,7 +11188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11107,7 +11203,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11119,7 +11215,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11130,19 +11226,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11152,7 +11248,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11160,7 +11256,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11175,7 +11271,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11184,7 +11280,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11192,7 +11288,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11202,7 +11298,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16866,32 +16962,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17562,96 +17669,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17659,12 +17781,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/pt.po b/src/man/po/pt.po
index a53e0c00bfe..bc1acc1351b 100644
--- a/src/man/po/pt.po
+++ b/src/man/po/pt.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2014-12-15 12:05-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/"
@@ -212,10 +212,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr ""
 
@@ -233,12 +233,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Padrão: false"
 
@@ -272,8 +272,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -303,7 +303,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Padrão: 10"
 
@@ -383,8 +383,8 @@ msgstr ""
 "falha do provedor de dados ou reiniciar antes de eles desistirem"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Padrão: 3"
 
@@ -405,7 +405,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (string)"
 
@@ -425,12 +425,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -438,39 +438,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -608,11 +608,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -878,8 +878,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1030,7 +1030,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Padrão: 60"
 
@@ -1140,7 +1140,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Padrão: 300"
 
@@ -1513,7 +1513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1541,8 +1541,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Padrão: 6"
@@ -1858,7 +1858,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1871,7 +1871,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1885,7 +1885,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1948,8 +1948,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Padrão: none"
 
@@ -2014,9 +2014,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -2031,7 +2031,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2129,48 +2129,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2288,7 +2288,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2322,7 +2322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2332,7 +2332,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2352,7 +2352,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Padrão: TRUE"
@@ -2714,25 +2714,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "ipa_hostname (string)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2740,73 +2751,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2816,66 +2825,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2883,17 +2892,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2901,7 +2910,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2910,64 +2919,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "exclude_users (string)"
 msgstr "ldap_user_shell (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No users excluded."
 msgstr "Padrão: empty, ou seja, ldap_uri é usado."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 #, fuzzy
 #| msgid "ldap_group_search_base (string)"
 msgid "exclude_groups (string)"
 msgstr "ldap_group_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No groups excluded."
 msgstr "Padrão: empty, ou seja, ldap_uri é usado."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "SECÇÕES DE DOMÍNIO"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2977,12 +2986,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2991,14 +3000,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3007,38 +3016,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3047,24 +3056,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Padrão: 1 para min_id, 0 (sem limite) para max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3073,29 +3082,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Padrão: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3109,14 +3118,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3125,39 +3134,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3166,19 +3175,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3189,139 +3198,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Padrão: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3330,17 +3339,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3352,33 +3361,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3386,19 +3395,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3407,17 +3416,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Padrão: 0 (ilimitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3426,28 +3435,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3455,7 +3464,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3463,8 +3472,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3473,8 +3482,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3482,19 +3491,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3503,7 +3512,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3511,24 +3520,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3540,27 +3549,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3568,7 +3588,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3576,30 +3596,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3607,19 +3627,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3628,7 +3648,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3636,29 +3656,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3666,7 +3686,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3674,35 +3694,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3710,32 +3730,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3746,7 +3766,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3755,12 +3775,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3768,7 +3788,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3776,31 +3796,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3808,7 +3828,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3817,17 +3837,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3835,43 +3855,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3879,7 +3899,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3887,7 +3907,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3895,24 +3915,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3920,31 +3940,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3952,7 +3972,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3961,12 +3981,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3976,7 +3996,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3985,29 +4005,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4015,108 +4035,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Default: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "Default: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "Padrão: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 #, fuzzy
 #| msgid "dns_resolver_timeout (integer)"
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4125,64 +4143,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4190,38 +4208,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4229,51 +4240,126 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr ""
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "ldap_enumeration_refresh_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_refresh_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_enumeration_refresh_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_enumeration_refresh_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "ldap_enumeration_refresh_timeout (integer)"
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_enumeration_refresh_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4281,27 +4367,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4311,34 +4397,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4347,19 +4433,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4367,24 +4453,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4393,24 +4479,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4420,14 +4506,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4435,21 +4521,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4457,7 +4543,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4466,7 +4552,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4475,7 +4561,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4483,29 +4569,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4513,12 +4599,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4526,12 +4612,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4540,12 +4626,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4553,19 +4639,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4582,7 +4668,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4590,17 +4676,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4609,7 +4695,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4619,7 +4705,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4639,12 +4725,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4655,69 +4741,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4730,7 +4816,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4738,7 +4824,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4747,55 +4833,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4804,17 +4890,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4822,26 +4908,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4850,17 +4936,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4870,7 +4956,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4879,59 +4965,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4940,7 +5026,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4949,7 +5035,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4958,7 +5044,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4966,12 +5052,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5025,7 +5111,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -5034,7 +5120,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -5042,7 +5128,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -5053,7 +5139,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -5067,7 +5153,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5130,7 +5216,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5231,7 +5317,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Exemplos:"
@@ -5451,12 +5537,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5464,7 +5550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5473,12 +5559,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5486,7 +5572,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5496,7 +5582,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5506,34 +5592,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5541,32 +5627,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5574,7 +5660,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5582,12 +5668,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5595,12 +5681,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5611,12 +5697,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5625,12 +5711,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5639,7 +5725,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5650,38 +5736,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ldap_network_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_network_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5689,29 +5775,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5719,14 +5805,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5734,17 +5820,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5754,12 +5840,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5767,17 +5853,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5785,12 +5871,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5798,7 +5884,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5809,7 +5895,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5818,7 +5904,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5826,12 +5912,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5839,7 +5925,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5847,19 +5933,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -5868,7 +5954,7 @@ msgstr ""
 "qualquer certificado de servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5876,7 +5962,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5884,7 +5970,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5892,41 +5978,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "Padrão: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5935,32 +6021,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5968,24 +6054,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5993,17 +6079,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -6014,24 +6100,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -6042,12 +6128,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -6060,7 +6146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -6072,17 +6158,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6090,50 +6176,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Padrão: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Padrão: Sistema keytab, normalmente <filename>/etc/krb5.keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6141,28 +6227,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Padrão: 86400 (24 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6174,7 +6260,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6182,7 +6268,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6190,39 +6276,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6232,7 +6318,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6240,26 +6326,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6268,7 +6354,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6276,31 +6362,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6313,51 +6399,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6366,12 +6452,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6387,12 +6473,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6401,14 +6487,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6417,24 +6503,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6442,19 +6528,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6463,7 +6549,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6471,7 +6557,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6480,7 +6566,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6488,22 +6574,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6513,14 +6599,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6533,12 +6619,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6548,7 +6634,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6558,63 +6644,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Padrão: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6623,74 +6709,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6701,7 +6787,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6709,50 +6795,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 #, fuzzy
 #| msgid "ldap_page_size (integer)"
 msgid "ldap_library_debug_level (integer)"
 msgstr "ldap_page_size (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6769,12 +6855,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6782,43 +6868,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6826,14 +6912,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6843,21 +6929,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_opt_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6865,7 +6951,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6873,106 +6959,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6981,59 +7067,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "OPÇÕES AVANÇADAS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7042,22 +7128,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7066,14 +7152,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "EXEMPLO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7081,7 +7167,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7094,27 +7180,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7130,13 +7216,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTAS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8154,7 +8240,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9181,7 +9267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9196,7 +9282,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9211,12 +9297,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9237,12 +9323,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9266,17 +9352,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9284,19 +9370,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "dyndns_auth_ptr (string)"
 msgstr "auth_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9304,7 +9390,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9314,7 +9400,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9331,7 +9417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9344,12 +9430,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9368,60 +9454,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9554,26 +9640,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9592,7 +9678,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10143,39 +10229,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10183,7 +10289,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10191,7 +10297,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10199,19 +10305,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10219,26 +10325,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10247,7 +10353,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10255,12 +10361,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10271,12 +10377,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10285,7 +10391,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10294,7 +10400,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10303,14 +10409,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10323,7 +10429,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10332,7 +10438,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10350,24 +10456,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10376,7 +10482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10385,12 +10491,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10400,7 +10506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10409,7 +10515,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10418,7 +10524,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10428,21 +10534,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10452,7 +10558,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10467,23 +10573,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10491,22 +10597,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10517,7 +10623,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10525,74 +10631,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10602,12 +10708,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10615,12 +10721,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10636,14 +10742,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10651,7 +10757,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10663,42 +10769,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10714,7 +10820,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10722,7 +10828,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10730,7 +10836,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10742,22 +10848,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10773,7 +10879,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10781,7 +10887,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10789,7 +10895,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10801,22 +10907,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10831,14 +10937,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10846,7 +10952,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10858,23 +10964,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10890,14 +10996,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10905,7 +11011,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10916,19 +11022,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10936,7 +11042,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10948,29 +11054,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10978,12 +11084,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10996,57 +11102,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -11054,17 +11160,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -11074,17 +11180,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11093,12 +11199,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11109,12 +11215,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11125,7 +11231,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11140,7 +11246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11152,7 +11258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11163,19 +11269,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11185,7 +11291,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11193,7 +11299,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11208,7 +11314,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11217,7 +11323,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11225,7 +11331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11235,7 +11341,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16921,32 +17027,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17617,96 +17734,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (string)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr "Padrão: não definido, ou seja, o TGT não é renovável"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (string)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17714,12 +17846,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po
index a1274b9a70b..f8a7b5cff4e 100644
--- a/src/man/po/pt_BR.po
+++ b/src/man/po/pt_BR.po
@@ -4,7 +4,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2017-01-29 10:11-0500\n"
 "Last-Translator: Rodrigo de Araujo Sousa Fonseca "
 "<rodrigodearaujo@fedoraproject.org>\n"
@@ -202,10 +202,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr ""
 
@@ -223,12 +223,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr ""
 
@@ -260,8 +260,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -291,7 +291,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -367,8 +367,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr ""
 
@@ -389,7 +389,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -409,12 +409,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -422,39 +422,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -592,11 +592,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -862,8 +862,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1008,7 +1008,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1110,7 +1110,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1479,7 +1479,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1505,8 +1505,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1814,7 +1814,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1827,7 +1827,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1841,7 +1841,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1904,8 +1904,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -1970,9 +1970,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -1987,7 +1987,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2083,48 +2083,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2242,7 +2242,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2276,7 +2276,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2286,7 +2286,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2306,7 +2306,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2666,25 +2666,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2692,73 +2703,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2768,66 +2777,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2835,17 +2844,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2853,7 +2862,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2862,56 +2871,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2921,12 +2930,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2935,14 +2944,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2951,38 +2960,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2991,24 +3000,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3017,29 +3026,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3053,14 +3062,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3069,39 +3078,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3110,19 +3119,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3133,139 +3142,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3274,17 +3283,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3296,33 +3305,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3330,19 +3339,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3351,17 +3360,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3370,28 +3379,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3399,7 +3408,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3407,8 +3416,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3417,8 +3426,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3426,19 +3435,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3447,7 +3456,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3455,24 +3464,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3484,27 +3493,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3512,7 +3532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3520,30 +3540,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3551,19 +3571,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3572,7 +3592,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3580,29 +3600,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3610,7 +3630,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3618,35 +3638,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3654,32 +3674,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3690,7 +3710,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3699,12 +3719,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3712,7 +3732,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3720,31 +3740,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3752,7 +3772,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3761,17 +3781,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3779,43 +3799,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3823,7 +3843,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3831,7 +3851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3839,24 +3859,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3864,31 +3884,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3896,7 +3916,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3905,12 +3925,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3920,7 +3940,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3929,29 +3949,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3959,104 +3979,102 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4065,64 +4083,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4130,38 +4148,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4169,49 +4180,104 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+msgid "ldap_offline_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3707
+msgid "ldap_enumeration_refresh_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+msgid "ldap_enumeration_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+msgid "ldap_connection_expire_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+msgid "ldap_connection_expire_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4219,27 +4285,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4249,34 +4315,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4285,19 +4351,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4305,24 +4371,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4331,24 +4397,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4358,14 +4424,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4373,21 +4439,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4395,7 +4461,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4404,7 +4470,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4413,7 +4479,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4421,29 +4487,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4451,12 +4517,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4464,12 +4530,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4478,12 +4544,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4491,19 +4557,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4520,7 +4586,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4528,17 +4594,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4547,7 +4613,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4557,7 +4623,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4577,12 +4643,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4593,69 +4659,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4668,7 +4734,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4676,7 +4742,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4685,55 +4751,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4742,17 +4808,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4760,26 +4826,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4788,17 +4854,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4808,7 +4874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4817,59 +4883,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4878,7 +4944,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4887,7 +4953,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4896,7 +4962,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4904,12 +4970,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4939,7 +5005,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4948,7 +5014,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4956,7 +5022,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4967,7 +5033,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -4981,7 +5047,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5044,7 +5110,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5145,7 +5211,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5361,12 +5427,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5374,7 +5440,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5383,12 +5449,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5396,7 +5462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5406,7 +5472,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5416,34 +5482,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5451,32 +5517,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5484,7 +5550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5492,12 +5558,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5505,12 +5571,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5521,12 +5587,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5535,12 +5601,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5549,7 +5615,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5560,36 +5626,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5597,29 +5663,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5627,14 +5693,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5642,17 +5708,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5662,12 +5728,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5675,17 +5741,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5693,12 +5759,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5706,7 +5772,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5717,7 +5783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5726,7 +5792,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5734,12 +5800,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5747,7 +5813,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5755,26 +5821,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5782,7 +5848,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5790,7 +5856,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5798,41 +5864,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5841,32 +5907,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5874,24 +5940,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5899,17 +5965,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5920,24 +5986,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5948,12 +6014,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5966,7 +6032,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -5978,17 +6044,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5996,49 +6062,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6046,28 +6112,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6079,7 +6145,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6087,7 +6153,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6095,39 +6161,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6137,7 +6203,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6145,26 +6211,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6173,7 +6239,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6181,31 +6247,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6218,51 +6284,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6271,12 +6337,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6292,12 +6358,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6306,14 +6372,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6322,24 +6388,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6347,19 +6413,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6368,7 +6434,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6376,7 +6442,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6385,7 +6451,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6393,22 +6459,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6418,14 +6484,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6438,12 +6504,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6453,7 +6519,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6463,63 +6529,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6528,74 +6594,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6606,7 +6672,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6614,48 +6680,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6672,12 +6738,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6685,43 +6751,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6729,14 +6795,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6746,19 +6812,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6766,7 +6832,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6774,106 +6840,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6882,59 +6948,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6943,22 +7009,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6967,14 +7033,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6982,7 +7048,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6995,27 +7061,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7031,13 +7097,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8043,7 +8109,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9070,7 +9136,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9085,7 +9151,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9100,12 +9166,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9126,12 +9192,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9155,17 +9221,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9173,17 +9239,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9191,7 +9257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9201,7 +9267,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9218,7 +9284,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9231,12 +9297,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9255,60 +9321,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9439,26 +9505,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9477,7 +9543,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10028,39 +10094,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10068,7 +10154,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10076,7 +10162,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10084,19 +10170,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10104,26 +10190,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10132,7 +10218,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10140,12 +10226,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10156,12 +10242,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10170,7 +10256,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10179,7 +10265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10188,14 +10274,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10208,7 +10294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10217,7 +10303,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10235,24 +10321,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10261,7 +10347,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10270,12 +10356,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10285,7 +10371,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10294,7 +10380,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10303,7 +10389,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10313,21 +10399,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10337,7 +10423,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10352,23 +10438,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10376,22 +10462,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10402,7 +10488,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10410,74 +10496,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10487,12 +10573,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10500,12 +10586,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10521,14 +10607,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10536,7 +10622,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10548,42 +10634,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10599,7 +10685,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10607,7 +10693,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10615,7 +10701,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10627,22 +10713,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10658,7 +10744,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10666,7 +10752,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10674,7 +10760,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10686,22 +10772,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10716,14 +10802,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10731,7 +10817,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10743,23 +10829,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10775,14 +10861,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10790,7 +10876,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10801,19 +10887,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10821,7 +10907,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10833,29 +10919,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10863,12 +10949,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10881,57 +10967,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10939,17 +11025,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -10959,17 +11045,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -10978,12 +11064,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -10994,12 +11080,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11010,7 +11096,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11025,7 +11111,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11037,7 +11123,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11048,19 +11134,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11070,7 +11156,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11078,7 +11164,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11093,7 +11179,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11102,7 +11188,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11110,7 +11196,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11120,7 +11206,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16780,32 +16866,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17476,96 +17573,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17573,12 +17685,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/ru.po b/src/man/po/ru.po
index bf8e3f303aa..795bc9e4b06 100644
--- a/src/man/po/ru.po
+++ b/src/man/po/ru.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2022-09-28 22:19+0000\n"
 "Last-Translator: Vi <xasertop@gmail.com>\n"
 "Language-Team: Russian <https://translate.fedoraproject.org/projects/sssd/"
@@ -17,8 +17,8 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
-"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
+"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
+"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
 "X-Generator: Weblate 4.14.1\n"
 
 #. type: Content of: <reference><title>
@@ -253,10 +253,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "По умолчанию: true"
 
@@ -277,12 +277,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "По умолчанию: false"
 
@@ -322,8 +322,8 @@ msgstr ""
 "на другие типы журнала)."
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -357,7 +357,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "По умолчанию: 10"
 
@@ -449,8 +449,8 @@ msgstr ""
 "перезапуска поставщика данных"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "По умолчанию: 3"
 
@@ -478,7 +478,7 @@ msgstr ""
 "Символ «/» использовать нельзя."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (строка)"
 
@@ -504,12 +504,12 @@ msgstr ""
 "разделе справки «РАЗДЕЛЫ ДОМЕНА»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -520,32 +520,32 @@ msgstr ""
 "создания полностью определённого имени из имени пользователя и имени домена."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "имя пользователя"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr "имя домена, указанное в файле конфигурации SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -555,7 +555,7 @@ msgstr ""
 "доверия IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -743,11 +743,11 @@ msgstr ""
 "параметр default_domain_suffix."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "По умолчанию: не задано"
 
@@ -1082,8 +1082,8 @@ msgstr ""
 "пользователей в разных доменах могут быть одинаковыми."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "По умолчанию: не задано"
 
@@ -1271,7 +1271,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "По умолчанию: 60"
 
@@ -1397,7 +1397,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "По умолчанию: 300"
 
@@ -1856,7 +1856,7 @@ msgstr ""
 "памяти для запросов passwd."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr "По умолчанию: 8"
 
@@ -1887,8 +1887,8 @@ msgstr ""
 "памяти для запросов group."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "По умолчанию: 6"
@@ -2260,7 +2260,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr "Показать предупреждение за N дней до истечения срока действия пароля."
 
@@ -2276,7 +2276,7 @@ msgstr ""
 "сможет показать предупреждение."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -2295,7 +2295,7 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> для конкретного домена."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "По умолчанию: 0"
 
@@ -2371,8 +2371,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "По умолчанию: none"
 
@@ -2451,9 +2451,9 @@ msgstr ""
 "задержит процесс проверки подлинности, по умолчанию этот параметр отключён."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "По умолчанию: false"
 
@@ -2468,7 +2468,7 @@ msgid "The path to the certificate database."
 msgstr "Путь к базе данных сертификатов."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr "По умолчанию:"
 
@@ -2591,48 +2591,48 @@ msgstr ""
 "конфигурацию: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr "По умолчанию: стандартный набор имён служб PAM включает:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr "login"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr "su"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr "su-l"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr "gdm-smartcard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr "gdm-password"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr "sudo-i"
 
@@ -2779,7 +2779,7 @@ msgid "Default: no_session"
 msgstr "По умолчанию: no_session"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr "pam_gssapi_services"
 
@@ -2823,7 +2823,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Пример: <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -2833,7 +2833,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr "По умолчанию: - (проверка подлинности с помощью GSSAPI отключена)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr "pam_gssapi_check_upn"
 
@@ -2859,7 +2859,7 @@ msgstr ""
 "пользователей, получивших необходимый билет службы."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "По умолчанию: true"
@@ -3331,13 +3331,24 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "pac_check (строка)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr "no_check"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
@@ -3346,12 +3357,12 @@ msgstr ""
 "проверки выполняться не будут."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr "pac_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -3362,12 +3373,12 @@ msgstr ""
 "ошибкой."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr "check_upn"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
@@ -3376,24 +3387,24 @@ msgstr ""
 "пользователя (UPN) верна."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr "upn_dns_info_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 "PAC должен содержать буфер UPN-DNS-INFO, неявным образом устанавливает "
 "'check_upn'."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr "check_upn_dns_info_ex"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
@@ -3402,12 +3413,12 @@ msgstr ""
 "согласованы ли данные в расширении."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr "upn_dns_info_ex_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
@@ -3416,20 +3427,20 @@ msgstr ""
 "устанавливает 'check_upn_dns_info_ex', 'upn_dns_info_present' и 'check_upn'."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
-"Применить дополнительные проверки PAC билета Kerberos, который, если "
-"настроен, доступен в доменах Active Directory и FreeIPA. Указанные ниже "
-"параметры можно использовать отдельно или в виде списка параметров, "
-"разделенного запятыми: <placeholder type=\"variablelist\" id=\"0\"/>"
+"Поддерживаются следующие расширения: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
@@ -3437,12 +3448,12 @@ msgstr ""
 "check_upn_dns_info_ex')"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr "Параметры настройки записи сеансов"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -3458,32 +3469,32 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr "Эти параметры можно использовать для настройки записи сеансов."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr "scope (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr "«none»"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr "Пользователи не записываются."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr "«some»"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
@@ -3492,17 +3503,17 @@ msgstr ""
 "<replaceable>users</replaceable> и <replaceable>groups</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr "«all»"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr "Записываются все пользователи."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
@@ -3511,17 +3522,17 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr "По умолчанию: «none»"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr "users (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3533,17 +3544,17 @@ msgstr ""
 "так далее."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr "По умолчанию: пусто. Не соответствует ни одному пользователю."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr "groups (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3554,7 +3565,7 @@ msgstr ""
 "NSS, то есть после возможной замены пробелов, смены регистра и так далее."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3567,17 +3578,17 @@ msgstr ""
 "установление соответствия групп, участником которых он является."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr "По умолчанию: пусто. Не соответствует ни одной группе."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr "exclude_users (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
@@ -3586,17 +3597,17 @@ msgstr ""
 "применимо только при «scope=all»."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr "По умолчанию: пусто. Не исключается ни один пользователь."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr "exclude_groups (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
@@ -3605,22 +3616,22 @@ msgstr ""
 "применимо только при «scope=all»."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr "По умолчанию: пусто. Не исключается ни одна группа."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "РАЗДЕЛЫ ДОМЕНА"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr "enabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3635,12 +3646,12 @@ msgstr ""
 "параметра domains в разделе <quote>[sssd]</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr "domain_type (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3653,7 +3664,7 @@ msgstr ""
 "операционной системы доступны только объекты из доменов POSIX."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
@@ -3662,7 +3673,7 @@ msgstr ""
 "<quote>application</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3674,7 +3685,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) и ответчика PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
@@ -3683,7 +3694,7 @@ msgstr ""
 "с <quote>id_provider=ldap</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
@@ -3692,17 +3703,17 @@ msgstr ""
 "<quote>Домены приложений</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr "По умолчанию: posix"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3711,7 +3722,7 @@ msgstr ""
 "находящуюся вне указанного диапазона, она будет проигнорирована."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3725,7 +3736,7 @@ msgstr ""
 "группы, будут выведены в обычном режиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -3734,17 +3745,17 @@ msgstr ""
 "кэш, а не только на их возврат по имени или идентификатору."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "По умолчанию: 1 для min_id, 0 (без ограничений) для max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3757,22 +3768,22 @@ msgstr ""
 "вторичных групп. Этот параметр может иметь одно из следующих значений:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = пользователи и группы перечисляются"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = для этого домена не выполняется перечисление"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "По умолчанию: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
@@ -3781,7 +3792,7 @@ msgstr ""
 "сохранить ВСЕ записи пользователей и групп с удалённого сервера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3805,7 +3816,7 @@ msgstr ""
 "перезапущен внутренним сторожевым таймером."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3814,7 +3825,7 @@ msgstr ""
 "или групп могут не вернуть результатов до момента завершения перечисления."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3828,7 +3839,7 @@ msgstr ""
 "идентификаторов (id_provider)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -3837,32 +3848,32 @@ msgstr ""
 "средах большого размера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Выполнить перечисление для всех обнаруженных доверенных доменов"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Не выполнять перечисление для обнаруженных доверенных доменов"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3876,12 +3887,12 @@ msgstr ""
 "только для них."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3890,7 +3901,7 @@ msgstr ""
 "действительными, прежде чем снова обратиться к внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3907,17 +3918,17 @@ msgstr ""
 "уже были кэшированы."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "По умолчанию: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -3927,19 +3938,19 @@ msgstr ""
 "серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "По умолчанию: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -3948,12 +3959,12 @@ msgstr ""
 "действительными, прежде чем снова обратиться к внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -3962,12 +3973,12 @@ msgstr ""
 "групп действительными, прежде чем снова обратиться к внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -3976,12 +3987,12 @@ msgstr ""
 "действительными, прежде чем снова обратиться к внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr "entry_cache_resolver_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
@@ -3990,12 +4001,12 @@ msgstr ""
 "сетей действительными, прежде чем снова обратиться к внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -4004,12 +4015,12 @@ msgstr ""
 "действительными, прежде чем снова обратиться к внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -4019,12 +4030,12 @@ msgstr ""
 "внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -4034,12 +4045,12 @@ msgstr ""
 "узла в кэше."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr "entry_cache_computer_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
@@ -4048,12 +4059,12 @@ msgstr ""
 "компьютера, прежде чем снова обратиться к внутреннему серверу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -4062,7 +4073,7 @@ msgstr ""
 "обновления всех устаревших или почти устаревших записей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -4076,18 +4087,18 @@ msgstr ""
 "пользователя в группах, обычно выполняется при запуске)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr "Этот параметр автоматически наследуется для всех доверенных доменов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Рекомендуется установить это значение равным 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -4108,37 +4119,37 @@ msgstr ""
 "существующего кэша."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "По умолчанию: 0 (отключено)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Определяет, следует ли также кэшировать учётные данные пользователя в "
 "локальном кэше LDB"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Учётные данные пользователя хранятся в хэше SHA512, а не в виде простого "
 "текста"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr "cache_credentials_minimal_first_factor_length (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -4150,7 +4161,7 @@ msgstr ""
 "сохранён в формате контрольной суммы SHA512 в кэше."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
@@ -4160,12 +4171,12 @@ msgstr ""
 "мишенью для атак методом подбора."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -4178,17 +4189,17 @@ msgstr ""
 "быть больше или равно значению offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "По умолчанию: 0 (без ограничений)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -4201,17 +4212,17 @@ msgstr ""
 "настроить поставщика данных проверки подлинности."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "По умолчанию: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -4219,12 +4230,12 @@ msgstr ""
 "Поддерживаемые поставщики ID:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr "<quote>proxy</quote>: поддержка устаревшего поставщика NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4236,7 +4247,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4247,8 +4258,8 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -4261,8 +4272,8 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4273,12 +4284,12 @@ msgstr ""
 "ad</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -4287,7 +4298,7 @@ msgstr ""
 "домена) в качестве имени для входа пользователя, которое сообщается NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -4301,7 +4312,7 @@ msgstr ""
 "passwd test@LOCAL</command> получится это сделать."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -4312,7 +4323,7 @@ msgstr ""
 "групп выполняется поиск во всех доменах, когда запрашивается неполное имя."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
@@ -4321,17 +4332,17 @@ msgstr ""
 "использования default_domain_suffix)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr "Не возвращать участников групп для поиска групп."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -4350,7 +4361,7 @@ msgstr ""
 "запрошенную группу так, как будто она пуста."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -4360,13 +4371,26 @@ msgstr ""
 "в группах у поставщика доступа (особенно для групп, содержащих большое "
 "количество участников)."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+"Этот параметр также может быть задан для каждого поддомена отдельно или "
+"унаследован с помощью <emphasis>subdomain_inherit</emphasis>."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -4375,7 +4399,7 @@ msgstr ""
 "Поддерживаемые поставщики данных для проверки подлинности:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4386,7 +4410,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4398,7 +4422,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -4406,12 +4430,12 @@ msgstr ""
 "PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> — явно отключить проверку подлинности."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -4420,12 +4444,12 @@ msgstr ""
 "задан и поддерживает обработку запросов проверки подлинности."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -4436,7 +4460,7 @@ msgstr ""
 "включены в установленные внутренние серверы). Внутренние особые поставщики:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -4445,12 +4469,12 @@ msgstr ""
 "разрешённого доступа для локального домена."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> — всегда отказывать в доступе."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -4463,7 +4487,7 @@ msgstr ""
 "<manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -4474,23 +4498,23 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 "<quote>proxy</quote> — передать управление доступом другому модулю PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "По умолчанию: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -4499,7 +4523,7 @@ msgstr ""
 "домена. Поддерживаемые поставщики данных смены пароля:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4510,7 +4534,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4521,19 +4545,19 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 "<quote>proxy</quote> — передать смену пароля какой-либо другой цели PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> — явно запретить смену пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -4542,19 +4566,19 @@ msgstr ""
 "задан и поддерживает обработку запросов смены пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "Поставщик данных SUDO, который используется для домена. Поддерживаемые "
 "поставщики данных SUDO:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4565,7 +4589,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -4574,7 +4598,7 @@ msgstr ""
 "параметрами IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -4583,20 +4607,20 @@ msgstr ""
 "параметрами AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> — явно отключить SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "По умолчанию: использовать значение <quote>id_provider</quote>, если этот "
 "параметр задан."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -4614,7 +4638,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -4628,12 +4652,12 @@ msgstr ""
 "планируется использовать sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -4644,7 +4668,7 @@ msgstr ""
 "работы поставщика доступа. Поддерживаемые поставщики данных SELinux:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4655,12 +4679,12 @@ msgstr ""
 "ipa</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr "<quote>none</quote> — явно отключает получение параметров SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -4669,12 +4693,12 @@ msgstr ""
 "задан и поддерживает обработку запросов загрузки параметров SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -4684,7 +4708,7 @@ msgstr ""
 "Поддерживаемые поставщики данных поддоменов:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4695,7 +4719,7 @@ msgstr ""
 "ipa</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4708,17 +4732,17 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> — явно отключает получение данных поддоменов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr "session_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4730,14 +4754,14 @@ msgstr ""
 "Commander (работает только c IPA). Поддерживаемые поставщики данных сеансов:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 "<quote>ipa</quote> — разрешить выполнение заданий, связанных с сеансами "
 "пользователей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
@@ -4745,7 +4769,7 @@ msgstr ""
 "пользователей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
@@ -4754,7 +4778,7 @@ msgstr ""
 "задан и поддерживает выполнение заданий, связанных с сеансами."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
@@ -4764,12 +4788,12 @@ msgstr ""
 "пользователя без привилегий."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -4777,7 +4801,7 @@ msgstr ""
 "поставщики данных autofs:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4788,7 +4812,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4799,7 +4823,7 @@ msgstr ""
 "ipa</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4811,17 +4835,17 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> — явно отключить autofs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -4830,7 +4854,7 @@ msgstr ""
 "узла. Поддерживаемые поставщики hostid:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4842,17 +4866,17 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> — явно отключить hostid."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr "resolver_provider (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
@@ -4861,7 +4885,7 @@ msgstr ""
 "Поддерживаемые поставщики данных сопоставления:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
@@ -4870,7 +4894,7 @@ msgstr ""
 "NSS. См. <quote>proxy_resolver_lib_name</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4882,7 +4906,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4895,12 +4919,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr "<quote>none</quote> — явно отключает получение записей узлов и сетей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4915,7 +4939,7 @@ msgstr ""
 "домена."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -4928,22 +4952,22 @@ msgstr ""
 "назначать три разных стиля записи имён пользователей:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr "domain\\username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -4952,7 +4976,7 @@ msgstr ""
 "обеспечения простой интеграции пользователей из доменов Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4963,17 +4987,17 @@ msgstr ""
 "quote>, домен — всё, что идёт после этого знака»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "По умолчанию: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -4982,46 +5006,46 @@ msgstr ""
 "следует использовать при выполнении запросов DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "Поддерживаемые значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: попытаться найти адрес IPv4, в случае неудачи попытаться найти "
 "адрес IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: пытаться разрешать имена узлов только в адреса IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: попытаться найти адрес IPv6, в случае неудачи попытаться найти "
 "адрес IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: пытаться разрешать имена узлов только в адреса IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "По умолчанию: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_server_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
@@ -5031,7 +5055,7 @@ msgstr ""
 "следующему."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
@@ -5039,8 +5063,7 @@ msgstr ""
 "времени проверки связи CLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
@@ -5049,34 +5072,38 @@ msgstr ""
 "<quote>ОБРАБОТКА ОТКАЗА</quote>."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "По умолчанию: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_op_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
+#, fuzzy
+#| msgid ""
+#| "Defines the amount of time (in seconds) to wait to resolve single DNS "
+#| "query (e.g. resolution of a hostname or an SRV record)  before try next "
+#| "hostname or DNS discovery."
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 "Определяет количество времени (в секундах), в течение которого будет "
 "ожидаться разрешение одного запроса DNS (например, разрешение имени узла или "
 "записи SRV) перед переходом к следующему имени узла или домену обнаружения."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -5089,12 +5116,12 @@ msgstr ""
 "работу в автономном режиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -5103,54 +5130,54 @@ msgstr ""
 "доменную часть запроса обнаружения служб DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "По умолчанию: использовать доменную часть имени узла компьютера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr "Переопределить значение основного GID указанным значением."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 "С учётом регистра. Это значение не является корректным для поставщика данных "
 "AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr "Без учёта регистра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -5162,7 +5189,7 @@ msgstr ""
 "регистр в выведенных данных."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
@@ -5172,7 +5199,7 @@ msgstr ""
 "на сервере."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
@@ -5181,26 +5208,17 @@ msgstr ""
 "значения: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-"Этот параметр также может быть задан для каждого поддомена отдельно или "
-"унаследован с помощью <emphasis>subdomain_inherit</emphasis>."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr "По умолчанию: True (False для поставщика данных AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -5212,51 +5230,128 @@ msgstr ""
 "параметров:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_idle_timeout"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+"ldap_krb5_keytab (будет использоваться значение krb5_keytab, если параметр "
+"ldap_krb5_keytab не задан явно)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_idle_timeout"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_offset (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_offset (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
-msgstr ""
-"ldap_krb5_keytab (будет использоваться значение krb5_keytab, если параметр "
-"ldap_krb5_keytab не задан явно)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
+msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr "auto_private_groups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr "case_sensitive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -5266,28 +5361,28 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 "Примечание: этот параметр работает только для поставщиков данных IPA и AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "плоское (NetBIOS) имя поддомена."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -5303,7 +5398,7 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -5311,29 +5406,29 @@ msgstr ""
 "<emphasis>override_homedir</emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "По умолчанию: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 "Различные метки, сохранённые службой настройки realmd для этого домена."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr "cached_auth_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -5347,7 +5442,7 @@ msgstr ""
 "сетевом режиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
@@ -5357,12 +5452,12 @@ msgstr ""
 "значения."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr "Специальное значение «0» подразумевает, что эта возможность отключена."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -5373,17 +5468,17 @@ msgstr ""
 "обработки <quote>initgroups.</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr "auto_private_groups (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr "true"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
@@ -5392,7 +5487,7 @@ msgstr ""
 "UID пользователя. Номер GID в этом случае игнорируется."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -5406,12 +5501,12 @@ msgstr ""
 "пространстве идентификаторов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr "false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
@@ -5420,12 +5515,12 @@ msgstr ""
 "ссылаться на объект группы в базе данных LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr "hybrid"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -5440,7 +5535,7 @@ msgstr ""
 "основной GID этого пользователя разрешается в этот объект группы."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
@@ -5449,7 +5544,7 @@ msgstr ""
 "группы; в ином случае GID просто будет невозможно разрешить."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -5460,7 +5555,7 @@ msgstr ""
 "сохранить существующие закрытые группы пользователей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -5469,7 +5564,7 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
@@ -5479,7 +5574,7 @@ msgstr ""
 "поддоменов, которые используют автоматическое сопоставление идентификаторов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -5489,7 +5584,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -5501,7 +5596,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -5515,7 +5610,7 @@ msgstr ""
 "type=\"programlisting\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -5526,17 +5621,17 @@ msgstr ""
 "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "Цель, которой пересылает данные прокси PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -5545,12 +5640,12 @@ msgstr ""
 "конфигурацией PAM или создать новую и добавить здесь имя службы."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -5561,12 +5656,12 @@ msgstr ""
 "_nss_$(libName)_$(function), например: _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr "proxy_resolver_lib_name (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -5577,12 +5672,12 @@ msgstr ""
 "вид _nss_$(libName)_$(function), например: _nss_dns_gethostbyname2_r."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -5596,12 +5691,12 @@ msgstr ""
 "идентификатора в кэше в целях ускорения предоставления результатов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr "proxy_max_children (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -5613,7 +5708,7 @@ msgstr ""
 "постановки запросов в очередь."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -5622,12 +5717,12 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr "Домены приложений"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -5656,7 +5751,7 @@ msgstr ""
 "традиционного домена SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -5667,17 +5762,17 @@ msgstr ""
 "порядок поиска для домена приложений и его родственного домена POSIX."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr "Параметры доменов приложений"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr "inherit_from (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -5690,7 +5785,7 @@ msgstr ""
 "<quote>родственного</quote> домена."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -5705,7 +5800,7 @@ msgstr ""
 "атрибут phone доступным через интерфейс D-Bus."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5739,12 +5834,12 @@ msgstr ""
 "ldap_user_extra_attrs = phone:telephoneNumber\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr "РАЗДЕЛ ДОВЕРЕННЫХ ДОМЕНОВ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -5762,57 +5857,57 @@ msgstr ""
 "поддерживаются следующие параметры:"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr "ldap_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr "ldap_user_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr "ldap_group_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr "ldap_netgroup_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr "ldap_service_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr "ldap_sasl_mech,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr "ad_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr "ad_backup_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr "ad_site,"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr "use_fully_qualified_names"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
@@ -5821,12 +5916,12 @@ msgstr ""
 "справочной странице."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr "РАЗДЕЛ СОПОСТАВЛЕНИЯ СЕРТИФИКАТОВ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -5849,7 +5944,7 @@ msgstr ""
 "проверки подлинности."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -5860,7 +5955,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -5873,12 +5968,12 @@ msgstr ""
 "replaceable>]</quote>. В этом разделе допустимы следующие параметры:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr "matchrule (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
@@ -5887,7 +5982,7 @@ msgstr ""
 "соответствуют этому правилу. Все остальные будут игнорироваться."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
@@ -5897,17 +5992,17 @@ msgstr ""
 "<quote>clientAuth</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr "maprule (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr "Определяет способ поиска пользователя для указанного сертификата."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
@@ -5917,7 +6012,7 @@ msgstr ""
 "quote>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
@@ -5926,12 +6021,12 @@ msgstr ""
 "пользователя с таким же именем."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr "domains (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5944,17 +6039,17 @@ msgstr ""
 "параметра можно добавить правило также и в поддомены."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr "По умолчанию: настроенный домен в sssd.conf"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr "priority (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5965,12 +6060,12 @@ msgstr ""
 "приоритет, а <quote>4294967295</quote> — самый низкий."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr "По умолчанию: самый низкий приоритет"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
@@ -5980,7 +6075,7 @@ msgstr ""
 "свойства:"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
@@ -5989,7 +6084,7 @@ msgstr ""
 "RULE_NAME"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -6002,17 +6097,17 @@ msgstr ""
 "<quote>({subject_rfc822_name.short_name})</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr "параметр <quote>domains</quote> игнорируется"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr "РАЗДЕЛ НАСТРОЙКИ ЗАПРОСОВ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -6027,7 +6122,7 @@ msgstr ""
 "запросит у пользователя соответствующие учётные данные."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -6040,22 +6135,22 @@ msgstr ""
 "Следующие параметры обеспечивают более гибкую настройку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr "[prompting/password]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr "password_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr "изменить строку запроса пароля"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -6064,37 +6159,37 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr "[prompting/2fa]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr "first_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr "изменить строку запроса первого фактора"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr "second_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr "изменить строку запроса второго фактора"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr "single_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -6107,7 +6202,7 @@ msgstr ""
 "фактора, даже если второй фактор является необязательным."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -6120,7 +6215,7 @@ msgstr ""
 "пароль, либо оба фактора, следует использовать двухэтапный запрос."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -6133,7 +6228,7 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -6144,12 +6239,12 @@ msgstr ""
 "конкретно для этой службы."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr "ПРИМЕРЫ"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -6203,7 +6298,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -6215,7 +6310,7 @@ msgstr ""
 "документации. <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -6225,7 +6320,7 @@ msgstr ""
 "use_fully_qualified_names = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -6242,7 +6337,7 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -6264,7 +6359,7 @@ msgstr ""
 "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -6350,7 +6445,7 @@ msgstr ""
 "конфигурации  <quote>ldap_access_filter</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -6473,7 +6568,7 @@ msgstr ""
 "http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Примеры:"
@@ -6729,12 +6824,12 @@ msgstr ""
 "перечисленных записей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -6745,7 +6840,7 @@ msgstr ""
 "выполняли вход) и удалять эти записи для экономии места."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -6759,12 +6854,12 @@ msgstr ""
 "включено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -6776,7 +6871,7 @@ msgstr ""
 "SSSD. Если используется схема RFC2307, этот параметр ни на что не влияет."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -6793,7 +6888,7 @@ msgstr ""
 "исходного поиска, когда он будет выполнен повторно."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -6809,12 +6904,12 @@ msgstr ""
 "для ограничения вложенности групп."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "По умолчанию: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -6824,24 +6919,24 @@ msgstr ""
 "выше."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr "По умолчанию: True для AD и IPA, в ином случае — False."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr "ldap_host_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "Необязательный параметр. Использовать указанную строку как базу поиска "
 "объектов узлов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -6851,32 +6946,32 @@ msgstr ""
 "<quote>ldap_search_base</quote>."
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "По умолчанию: значение <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr "ldap_iphost_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr "ldap_ipnetwork_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -6887,7 +6982,7 @@ msgstr ""
 "результаты (и выполнен переход в автономный режим)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -6897,12 +6992,12 @@ msgstr ""
 "его заменит ряд тайм-аутов для отдельных типов поиска."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -6914,12 +7009,12 @@ msgstr ""
 "автономный режим)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -6936,12 +7031,12 @@ msgstr ""
 "<manvolnum>2</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -6955,12 +7050,12 @@ msgstr ""
 "расширенного действия по смене пароля и действия StartTLS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -6974,7 +7069,7 @@ msgstr ""
 "значений (значение этого параметра или значение времени жизни TGT)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -6992,7 +7087,7 @@ msgstr ""
 "<emphasis>ldap_connection_expire_timeout &lt;= ldap_opt_timout</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
@@ -7001,17 +7096,17 @@ msgstr ""
 "параметра <emphasis>ldap_connection_expire_offset</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "По умолчанию: 900 (15 минут)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr "ldap_connection_expire_offset (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
@@ -7020,12 +7115,12 @@ msgstr ""
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_idle_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -7036,17 +7131,17 @@ msgstr ""
 "бездействует дольше этого времени, соединение будет закрыто."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr "Можно отключить этот тайм-аут, установив значение «0»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -7056,12 +7151,12 @@ msgstr ""
 "количества на один запрос."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -7073,7 +7168,7 @@ msgstr ""
 "работает надлежащим образом."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -7083,7 +7178,7 @@ msgstr ""
 "RootDSE, но не смогут использовать его."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -7095,17 +7190,17 @@ msgstr ""
 "привести к отказам в выполнении некоторых из них."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr "Отключить получение диапазонов Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -7121,12 +7216,12 @@ msgstr ""
 "большие группы будут показаны как группы без участников."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -7137,19 +7232,19 @@ msgstr ""
 "Значение этого параметра определяется OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "По умолчанию: использовать стандартное системное значение (обычно "
 "указывается в ldap.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr "ldap_sasl_maxssf (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -7160,12 +7255,12 @@ msgstr ""
 "Значение этого параметра определяется OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -7177,7 +7272,7 @@ msgstr ""
 "для каждого из них по отдельности."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -7194,7 +7289,7 @@ msgstr ""
 "поддерживает его и объявляет управление разыменованием в объекте rootDSE."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -7207,7 +7302,7 @@ msgstr ""
 "OpenLDAP и Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -7218,12 +7313,12 @@ msgstr ""
 "независимо от значения этого параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr "ldap_ignore_unreadable_references (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -7235,7 +7330,7 @@ msgstr ""
 "игнорирования нечитаемой записи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -7247,12 +7342,12 @@ msgstr ""
 "безопасности."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -7261,7 +7356,7 @@ msgstr ""
 "в сеансе TLS, если это требуется. Можно указать одно из следующих значений:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -7270,7 +7365,7 @@ msgstr ""
 "сертификаты сервера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7282,7 +7377,7 @@ msgstr ""
 "продолжится в обычном режиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7293,7 +7388,7 @@ msgstr ""
 "предоставлен ошибочный сертификат, сеанс немедленно будет завершён."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -7304,22 +7399,22 @@ msgstr ""
 "немедленно будет завершён."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = аналогично <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "По умолчанию: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -7328,7 +7423,7 @@ msgstr ""
 "сертификации, которые распознаются <command>sssd</command>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -7337,12 +7432,12 @@ msgstr ""
 "хранятся в <filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -7355,32 +7450,32 @@ msgstr ""
 "использовать команду <command>cacertdir_rehash</command>, если она доступна."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "Позволяет указать файл, который содержит сертификат для ключа клиента."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr "Позволяет указать файл, который содержит ключ клиента."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -7392,12 +7487,12 @@ msgstr ""
 "<manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -7406,12 +7501,12 @@ msgstr ""
 "<systemitem class=\"protocol\">tls</systemitem> для защиты канала."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -7423,19 +7518,19 @@ msgstr ""
 "ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "В настоящее время эта функциональная возможность поддерживает только "
 "сопоставление objectSID Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr "ldap_min_id, ldap_max_id (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -7455,17 +7550,17 @@ msgstr ""
 "другие диапазоны для сопоставления идентификаторов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr "По умолчанию: не задано (оба параметра установлены в значение 0)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
@@ -7474,7 +7569,7 @@ msgstr ""
 "время протестированы и поддерживаются только GSSAPI и GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -7492,12 +7587,12 @@ msgstr ""
 "manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -7517,7 +7612,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -7537,17 +7632,17 @@ msgstr ""
 "найдены, возвращается первый участник из таблицы ключей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr "По умолчанию: host/hostname@REALM"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -7558,17 +7653,17 @@ msgstr ""
 "ldap_sasl_authid также содержит область, этот параметр игнорируется."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "По умолчанию: значение krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -7578,36 +7673,36 @@ msgstr ""
 "привязки SASL."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "По умолчанию: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 "Позволяет указать таблицу ключей, которую следует использовать при "
 "использовании проверки подлинности с помощью SASL/GSSAPI/GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "По умолчанию: системная таблица ключей, обычно <filename>/etc/krb5.keytab</"
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -7618,12 +7713,12 @@ msgstr ""
 "используется SASL и выбран механизм GSSAPI или GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
@@ -7631,17 +7726,17 @@ msgstr ""
 "GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "По умолчанию: 86400 (24 часа)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -7660,7 +7755,7 @@ msgstr ""
 "сведения доступны в разделе <quote>ОБНАРУЖЕНИЕ СЛУЖБ</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -7672,7 +7767,7 @@ msgstr ""
 "в которых в качестве протокола указан _tcp."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -7683,31 +7778,31 @@ msgstr ""
 "перейти на использование <quote>krb5_server</quote> в файлах конфигурации."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 "Позволяет указать область Kerberos (для проверки подлинности с помощью SASL/"
 "GSSAPI/GSS-SPNEGO)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "По умолчанию: стандартные параметры системы, см. <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -7717,12 +7812,12 @@ msgstr ""
 ">= 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -7737,7 +7832,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -7748,12 +7843,12 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -7762,7 +7857,7 @@ msgstr ""
 "клиента. Допускаются следующие значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -7771,7 +7866,7 @@ msgstr ""
 "параметра нельзя отключить политики паролей на стороне сервера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -7779,12 +7874,12 @@ msgid ""
 "\"ldap_chpass_update_last_change\" as well."
 msgstr ""
 "<emphasis>shadow</emphasis> — использовать атрибуты в стиле "
-"<citerefentry><refentrytitle>shadow</refentrytitle> "
-"<manvolnum>5</manvolnum></citerefentry> для проверки того, не истёк ли срок "
-"действия пароля. См. также опцию «ldap_chpass_update_last_change»."
+"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> для проверки того, не истёк ли срок действия "
+"пароля. См. также опцию «ldap_chpass_update_last_change»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -7796,7 +7891,7 @@ msgstr ""
 "chpass_provider=krb5."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -7806,18 +7901,18 @@ msgstr ""
 "этого параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 "Позволяет указать, следует ли включить автоматическое прослеживание ссылок."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -7826,7 +7921,7 @@ msgstr ""
 "случае, если сервис собран с OpenLDAP версии 2.4.13 или выше."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -7848,29 +7943,29 @@ msgstr ""
 "домена AD, это не позволило бы получить дополнительные данные."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Позволяет указать имя службы, которое будет использоваться, когда включено "
 "обнаружение служб."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "По умолчанию: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -7879,17 +7974,17 @@ msgstr ""
 "менять пароль, когда включено обнаружение служб."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "По умолчанию: не задано, то есть обнаружение служб отключено"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -7898,25 +7993,25 @@ msgstr ""
 "данными о количестве дней с момента выполнения действия по смены пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
 "shadowLastChange LDAP attribute automatically after a password change or if "
 "SSSD has to update it."
 msgstr ""
-"Рекомендуется установить этот параметр явно, если используется «"
-"ldap_pwd_policy = shadow», чтобы сообщить SSSD, будет ли сервер LDAP "
+"Рекомендуется установить этот параметр явно, если используется "
+"«ldap_pwd_policy = shadow», чтобы сообщить SSSD, будет ли сервер LDAP "
 "автоматически обновлять атрибут shadowLastChange LDAP после смены пароля или "
 "SSSD должен обновить его."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -7945,12 +8040,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Пример:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -7962,7 +8057,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -7971,7 +8066,7 @@ msgstr ""
 "атрибут employeeType которых установлен в значение «admin»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -7986,17 +8081,17 @@ msgstr ""
 "в автономном режиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "По умолчанию: пусто"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -8005,7 +8100,7 @@ msgstr ""
 "доступом на стороне клиента."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -8016,12 +8111,12 @@ msgstr ""
 "соответствующим кодом ошибки, даже если пароль верен."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "Допускаются следующие значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -8030,7 +8125,7 @@ msgstr ""
 "для определения того, не истёк ли срок действия учётной записи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -8043,7 +8138,7 @@ msgstr ""
 "не истёк ли срок действия учётной записи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -8054,7 +8149,7 @@ msgstr ""
 "разрешён ли доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -8067,7 +8162,7 @@ msgstr ""
 "Если все атрибуты отсутствуют, доступ предоставляется."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -8078,24 +8173,24 @@ msgstr ""
 "использовать параметр ldap_account_expire_policy."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Разделённый запятыми список параметров управления доступом. Допустимые "
 "значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: использовать ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -8111,7 +8206,7 @@ msgstr ""
 "«access_provider = ldap»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
@@ -8121,7 +8216,7 @@ msgstr ""
 "следующей версии.  </emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -8144,12 +8239,12 @@ msgstr ""
 "возможности необходимо задать «access_provider = ldap»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: использовать ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -8163,7 +8258,7 @@ msgstr ""
 "и для проверки подлинности используются не пароли, а, например, ключи SSH."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -8179,7 +8274,7 @@ msgstr ""
 "пароль."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
@@ -8187,7 +8282,7 @@ msgstr ""
 "поступит запрос с явным уведомлением."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
@@ -8197,7 +8292,7 @@ msgstr ""
 "паролей в качестве значения параметра «ldap_pwd_policy»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -8206,14 +8301,14 @@ msgstr ""
 "authorizedService для определения возможности доступа"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: использовать атрибут host для определения "
 "возможности доступа"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
@@ -8222,7 +8317,7 @@ msgstr ""
 "возможности доступа удалённого узла"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
@@ -8232,12 +8327,12 @@ msgstr ""
 "прежде чем включать этот параметр управления доступом"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "По умолчанию: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -8246,12 +8341,12 @@ msgstr ""
 "ошибкой конфигурации."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -8264,22 +8359,22 @@ msgstr ""
 "невозможности надлежащим образом проверить атрибуты ppolicy на сервере LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Пример: cn=ppolicy,ou=policies,dc=example,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr "По умолчанию: cn=ppolicy,ou=policies,$ldap_search_base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -8288,12 +8383,12 @@ msgstr ""
 "выполнении поиска. Допустимые варианты:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis>: разыменование псевдонимов не выполняется."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -8303,7 +8398,7 @@ msgstr ""
 "объекта поиска."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -8312,7 +8407,7 @@ msgstr ""
 "при определении расположения базового объекта поиска."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -8321,7 +8416,7 @@ msgstr ""
 "поиске, так и при определении расположения базового объекта поиска."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -8330,12 +8425,12 @@ msgstr ""
 "клиентскими библиотеками LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -8344,7 +8439,7 @@ msgstr ""
 "серверов, которые используют схему RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -8361,7 +8456,7 @@ msgstr ""
 "информацию о пользователе через вызовы getpw*() или initgroups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -8373,12 +8468,12 @@ msgstr ""
 "группами LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr "wildcard_limit (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
@@ -8387,24 +8482,24 @@ msgstr ""
 "поиска с использованием подстановочных знаков."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 "В настоящее время только ответчик InfoPipe поддерживает поиск с "
 "использованием подстановочных знаков."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr "По умолчанию: 1000 (часто размер одной страницы)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr "ldap_library_debug_level (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
@@ -8413,7 +8508,7 @@ msgstr ""
 "записываются независимо от общего debug_level."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
@@ -8422,7 +8517,7 @@ msgstr ""
 "компонентов, -1 включает полный отладочный вывод."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr "По умолчанию: 0 (отладка libldap отключена)"
 
@@ -8447,12 +8542,12 @@ msgstr ""
 "</citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "ПАРАМЕТРЫ SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -8463,12 +8558,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -8477,7 +8572,7 @@ msgstr ""
 "загружаются все правила, которые хранятся на сервере)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -8486,7 +8581,7 @@ msgstr ""
 "<emphasis>ldap_sudo_smart_refresh_interval </emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
@@ -8495,17 +8590,17 @@ msgstr ""
 "Но должно быть включено либо интеллектуальное, либо полное обновление."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "По умолчанию: 21600 (6 часов)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -8517,7 +8612,7 @@ msgstr ""
 "в настоящее время известно SSSD)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -8526,7 +8621,7 @@ msgstr ""
 "modifyTimestamp."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -8542,7 +8637,7 @@ msgstr ""
 "<emphasis>ldap_connection_expire_timeout</emphasis>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
@@ -8552,12 +8647,12 @@ msgstr ""
 "обновление."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_sudo_random_offset (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -8568,7 +8663,7 @@ msgstr ""
 "периодического задания. Значение указывается в секундах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -8579,17 +8674,17 @@ msgstr ""
 "время, в течение которого правила sudo недоступны для использования."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr "Можно отключить эту задержку, установив значение «0»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -8599,12 +8694,12 @@ msgstr ""
 "адресов узлов/сетей в формате IPv4 или IPv6)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -8613,7 +8708,7 @@ msgstr ""
 "следует использовать для фильтрации правил."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -8622,8 +8717,8 @@ msgstr ""
 "обнаружить имя узла и полное доменное имя."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -8632,17 +8727,17 @@ msgstr ""
 "<emphasis>false</emphasis>, этот параметр ни на что не влияет."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr "По умолчанию: не указано"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -8651,7 +8746,7 @@ msgstr ""
 "следует использовать для фильтрации правил."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -8660,12 +8755,12 @@ msgstr ""
 "обнаружить адреса."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -8674,12 +8769,12 @@ msgstr ""
 "правила, которые содержат сетевую группу в атрибуте sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -8688,7 +8783,7 @@ msgstr ""
 "правила, которые содержат подстановочный знак в атрибуте sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
@@ -8697,7 +8792,7 @@ msgstr ""
 "операция на стороне сервера LDAP!"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -8710,12 +8805,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "ПАРАМЕТРЫ AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
@@ -8724,47 +8819,47 @@ msgstr ""
 "схемы LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "Имя основной карты автоматического монтирования в LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr "По умолчанию: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "ДОПОЛНИТЕЛЬНЫЕ ПАРАМЕТРЫ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -8777,22 +8872,22 @@ msgstr ""
 "эту возможность, если имена групп отображаются некорректно."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -8805,14 +8900,14 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "ПРИМЕР"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -8823,7 +8918,7 @@ msgstr ""
 "<replaceable>[domains]</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8843,20 +8938,20 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr "ПРИМЕР ФИЛЬТРА ДОСТУПА LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
@@ -8865,7 +8960,7 @@ msgstr ""
 "используется ldap_access_order=lockout."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8891,13 +8986,13 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ПРИМЕЧАНИЯ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -10194,7 +10289,7 @@ msgstr ""
 "группы не обрабатываются."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -11456,7 +11551,7 @@ msgstr ""
 "домене IPA. Имя узла должно быть полным."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (логическое значение)"
 
@@ -11476,7 +11571,7 @@ msgstr ""
 "<quote>dyndns_iface</quote> не указано иное."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -11498,12 +11593,12 @@ msgstr ""
 "конфигурации."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -11532,12 +11627,12 @@ msgid "Default: 1200 (seconds)"
 msgstr "По умолчанию: 1200 (секунд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -11572,17 +11667,17 @@ msgstr ""
 "подключения LDAP IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr "Пример: dyndns_iface = em1, vnet1, vnet2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr "dyndns_auth (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -11593,17 +11688,17 @@ msgstr ""
 "отправлять, установив этот параметр в значение «none»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr "По умолчанию: GSS-TSIG"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_auth_ptr (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -11614,7 +11709,7 @@ msgstr ""
 "отправлять, установив этот параметр в значение «none»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr "По умолчанию: то же, что и dyndns_auth"
 
@@ -11624,7 +11719,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr "Включить сайты DNS — обнаружение служб по расположению."
 
@@ -11650,7 +11745,7 @@ msgstr ""
 "использоваться в качестве резервных"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (целое число)"
 
@@ -11668,12 +11763,12 @@ msgstr ""
 "«true»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -11698,12 +11793,12 @@ msgid "Default: False (disabled)"
 msgstr "По умолчанию: false (отключено)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -11712,17 +11807,17 @@ msgstr ""
 "с сервером DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "По умолчанию: false (разрешить nsupdate выбрать протокол)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr "dyndns_server (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
@@ -11732,7 +11827,7 @@ msgstr ""
 "параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
@@ -11741,7 +11836,7 @@ msgstr ""
 "отличается от сервера данных идентификации."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
@@ -11751,17 +11846,17 @@ msgstr ""
 "использованием автоматически определённых параметров завершилась неудачей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr "По умолчанию: none (разрешить nsupdate выбрать сервер)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr "dyndns_update_per_family (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -11914,12 +12009,12 @@ msgstr ""
 "DN, которое следует использовать для выполнения действий LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
@@ -11928,7 +12023,7 @@ msgstr ""
 "конфигурации Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
@@ -11937,7 +12032,7 @@ msgstr ""
 "значение «none»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -11960,7 +12055,7 @@ msgstr ""
 "короткое время поступает много запросов на профили рабочего стола."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "По умолчанию: 5 (секунд)"
 
@@ -12650,13 +12745,48 @@ msgstr ""
 "никогда не учитывается поставщиком данных AD в целях обеспечения "
 "совместимости с реализацией LDAP Active Directory."
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+#, fuzzy
+#| msgid ""
+#| "If this option is set to <quote>true</quote> SSSD will not filter out "
+#| "Domain Local groups from remote domains in the AD forest. By default they "
+#| "are filtered out e.g. when following a nested group hierarchy in remote "
+#| "domains because they are not valid in the local domain. To be compatible "
+#| "with other solutions which make AD users and groups available on Linux "
+#| "client this option was added."
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+"Если этот параметр установлен в значение <quote>true</quote>, SSSD не будет "
+"отфильтровывать группы, локальные в домене, в удалённых доменах в лесу AD. "
+"По умолчанию они отфильтровываются (например, при следовании по иерархии "
+"вложенных групп в удалённых доменах), так не являются действительными в "
+"локальном домене. Этот параметр был добавлен для обеспечения совместимости с "
+"другими решениями, которые делают пользователей и группы AD доступными на "
+"клиенте Linux."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -12665,7 +12795,7 @@ msgstr ""
 "не указано, используется имя домена в конфигурации."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -12674,7 +12804,7 @@ msgstr ""
 "полной версии имени домена Active Directory в нижнем регистре."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -12683,12 +12813,12 @@ msgstr ""
 "автоматически определяется SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr "ad_enabled_domains (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -12699,7 +12829,7 @@ msgstr ""
 "списке. Если параметр не задан, будут доступны все домены из леса AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -12709,7 +12839,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -12720,7 +12850,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
@@ -12729,12 +12859,12 @@ msgstr ""
 "будет автоматически определено SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -12746,7 +12876,7 @@ msgstr ""
 "quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
@@ -12756,7 +12886,7 @@ msgstr ""
 "разделе <quote>ОБНАРУЖЕНИЕ СЛУЖБ</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
@@ -12765,12 +12895,12 @@ msgstr ""
 "даже если в параметре ad_server явно определён основной сервер."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -12783,7 +12913,7 @@ msgstr ""
 "параметр."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -12794,12 +12924,12 @@ msgstr ""
 "соответствовать имени узла, для которого была выпущена таблица ключей."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -12817,12 +12947,12 @@ msgstr ""
 "и при обнаружении сайтов."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -12836,7 +12966,7 @@ msgstr ""
 "<quote>ad</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -12849,7 +12979,7 @@ msgstr ""
 "quote> или <quote>FOREST</quote>, а также оно может отсутствовать."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -12863,7 +12993,7 @@ msgstr ""
 "указанного значением <quote>NAME</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
@@ -12872,7 +13002,7 @@ msgstr ""
 "аналогично работе баз поиска."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -12894,7 +13024,7 @@ msgstr ""
 "посвящённом расширениям LDAP</ulink>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -12908,7 +13038,7 @@ msgstr ""
 "будет использоваться первое из них."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -12938,12 +13068,12 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr "ad_site (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
@@ -12953,12 +13083,12 @@ msgstr ""
 "выполнено автоматически."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -12972,7 +13102,7 @@ msgstr ""
 "текущего сервера AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -12986,12 +13116,12 @@ msgstr ""
 "каталог."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -13006,7 +13136,7 @@ msgstr ""
 "<quote>ad</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -13019,7 +13149,7 @@ msgstr ""
 "параметрах политики доступны в описании параметров <quote>ad_gpo_map</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -13033,7 +13163,7 @@ msgstr ""
 "com/SSSD/sssd/issues/5063 ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -13048,7 +13178,7 @@ msgstr ""
 "должна обладать следующими правами GPO:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
@@ -13057,7 +13187,7 @@ msgstr ""
 "свойств GPO (RIGHT_DS_READ_PROPERTY)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
@@ -13066,7 +13196,7 @@ msgstr ""
 "разрешено применять GPO (RIGHT_DS_CONTROL_ACCESS)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -13082,7 +13212,7 @@ msgstr ""
 "Users GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -13110,12 +13240,12 @@ msgstr ""
 "citerefentry>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr "Для этого параметра поддерживаются три значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
@@ -13123,14 +13253,14 @@ msgstr ""
 "доступом на основе GPO, ни их принудительное применение."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 "enforcing: осуществляется проверка соответствия правилам управления доступом "
 "на основе GPO и их принудительное применение."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -13143,22 +13273,22 @@ msgstr ""
 "принудительный режим."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr "По умолчанию: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr "По умолчанию: enforcing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr "ad_gpo_implicit_deny (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -13176,7 +13306,7 @@ msgstr ""
 "встроенной группе Administrators, если к ним не применяются правила GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -13188,77 +13318,77 @@ msgstr ""
 "ad_gpo_implicit_deny."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr "ad_gpo_implicit_deny = False (по умолчанию)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr "правила разрешения"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr "правила запрета"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr "результат"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr "отсутствуют"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr "доступ разрешён всем пользователям"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr "присутствуют"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr "доступ разрешён только пользователям, отсутствующим в правилах запрета"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 "доступ разрешён только пользователям, присутствующим в правилах разрешения"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 "доступ разрешён только пользователям, присутствующим в правилах разрешения и "
 "отсутствующим в правилах запрета"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr "ad_gpo_implicit_deny = True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr "доступ запрещён всем пользователям"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr "ad_gpo_ignore_unreadable (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -13273,12 +13403,12 @@ msgstr ""
 "групповой политики недоступны для чтения SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -13289,12 +13419,12 @@ msgstr ""
 "поступает много запросов на управление доступом."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -13323,7 +13453,7 @@ msgstr ""
 "являются частью параметров политики."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
@@ -13333,7 +13463,7 @@ msgstr ""
 "локальный вход» («Deny log on locally»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -13343,7 +13473,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13362,42 +13492,42 @@ msgstr ""
 "конфигурацию: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr "gdm-fingerprint"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr "lightdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr "lxdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr "sddm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr "unity"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr "xdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -13426,7 +13556,7 @@ msgstr ""
 "если он или хотя бы одна из его групп являются частью параметров политики."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -13438,7 +13568,7 @@ msgstr ""
 "удалённых рабочих столов» («Deny log on through Remote Desktop Services»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -13448,7 +13578,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13467,22 +13597,22 @@ msgstr ""
 "конфигурацию: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr "sshd"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr "cockpit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -13511,7 +13641,7 @@ msgstr ""
 "политики."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -13523,7 +13653,7 @@ msgstr ""
 "to this computer from the network»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -13533,7 +13663,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13552,22 +13682,22 @@ msgstr ""
 "конфигурацию: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr "ftp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr "samba"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -13595,7 +13725,7 @@ msgstr ""
 "политики."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
@@ -13606,7 +13736,7 @@ msgstr ""
 "a batch job»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -13616,7 +13746,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13635,7 +13765,7 @@ msgstr ""
 "конфигурацию: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
@@ -13643,17 +13773,17 @@ msgstr ""
 "дистрибутива Linux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr "crond"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -13682,7 +13812,7 @@ msgstr ""
 "политики."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
@@ -13692,7 +13822,7 @@ msgstr ""
 "и «Запретить вход в качестве службы» («Deny log on as a service»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -13702,7 +13832,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -13719,12 +13849,12 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
@@ -13733,7 +13863,7 @@ msgstr ""
 "доступ на основе GPO, независимо от прав входа GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -13743,7 +13873,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13762,22 +13892,22 @@ msgstr ""
 "конфигурацию: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr "polkit-1"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr "systemd-user"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
@@ -13786,7 +13916,7 @@ msgstr ""
 "доступ на основе GPO, независимо от прав входа GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -13796,12 +13926,12 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -13823,57 +13953,57 @@ msgstr ""
 "доступ для несопоставленных имён служб PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr "Для этого параметра поддерживаются следующие значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr "interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr "remote_interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr "network"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr "batch"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr "service"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr "permit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr "deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr "По умолчанию: deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr "ad_maximum_machine_account_password_age (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -13884,17 +14014,17 @@ msgstr ""
 "его. Значение «0» отключает попытку обновления."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr "По умолчанию: 30 дней"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr "ad_machine_account_password_renewal_opts (строка)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -13910,17 +14040,17 @@ msgstr ""
 "после перезапуска."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "По умолчанию: 86400:750 (24 часа и 15 минут)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr "ad_update_samba_machine_account_password (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -13933,12 +14063,12 @@ msgstr ""
 "когда программа настроена на использование AD для проверки подлинности."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr "ad_use_ldaps (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -13956,12 +14086,12 @@ msgstr ""
 "подключений будет установлено в значение «0» (ноль)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "ad_allow_remote_domain_local_groups (логическое значение)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -13979,7 +14109,7 @@ msgstr ""
 "клиенте Linux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -14004,7 +14134,7 @@ msgstr ""
 "отсутствуют удалённые группы, локальные в домене."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -14026,7 +14156,7 @@ msgstr ""
 "вложенности."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -14043,12 +14173,12 @@ msgstr ""
 "помощью параметра <quote>dyndns_iface</quote> не указано иное."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr "По умолчанию: 3600 (секунд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
@@ -14057,7 +14187,7 @@ msgstr ""
 "подключения LDAP AD"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -14074,7 +14204,7 @@ msgstr ""
 "допустимое значение (60 секунд)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -14085,7 +14215,7 @@ msgstr ""
 "примере показаны только параметры, относящиеся к поставщику данных AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -14109,7 +14239,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -14121,7 +14251,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -14132,7 +14262,7 @@ msgstr ""
 "данных LDAP: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -14147,7 +14277,7 @@ msgstr ""
 "параметры подключения, такие как URI LDAP и параметры шифрования."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -21191,16 +21321,30 @@ msgstr "Creator Authority"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
+#, fuzzy
+#| msgid "Creator Authority"
+msgid "Mandatory Label Authority"
+msgstr "Creator Authority"
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:295
+#, fuzzy
+#| msgid "Authentication failure."
+msgid "Authentication Authority"
+msgstr "Сбой при проверке подлинности."
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
 msgid "NT Authority"
 msgstr "NT Authority"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
-#: include/ldap_id_mapping.xml:295
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr "Built-in"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
@@ -21209,16 +21353,27 @@ msgstr ""
 "имён доменов при возврате полных имён известных SID."
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
+#, fuzzy
+#| msgid ""
+#| "Since some utilities allow to modify SID based access control information "
+#| "with the help of a name instead of using the SID directly SSSD supports "
+#| "to look up the SID by the name as well. To avoid collisions only the "
+#| "fully qualified names can be used to look up Well-Known SIDs. As a result "
+#| "the domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</"
+#| "quote>, <quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</"
+#| "quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not "
+#| "be used as domain names in <filename>sssd.conf</filename>."
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 "Так как некоторые утилиты позволяют изменять данные управления доступом на "
 "основе SID с помощью имени, а не непосредственного использования SID, SSSD "
@@ -22081,13 +22236,39 @@ msgstr ""
 "таблицы ключей в качестве последней или единственной записи в файле таблицы "
 "ключей."
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+#, fuzzy
+#| msgid "Default: false (AD provider: true)"
+msgid "Default: false (IPA and AD provider: true)"
+msgstr "По умолчанию: false (поставщик данных AD: true)"
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"Дополнительные сведения доступны в описании параметра "
+"<quote>dns_discovery_domain</quote> на справочной странице <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>."
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (строка)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
@@ -22096,38 +22277,38 @@ msgstr ""
 "число, сразу после которого следует единица измерения времени:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr "<emphasis>s</emphasis> для секунд"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr "<emphasis>m</emphasis> для минут"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr "<emphasis>h</emphasis> для часов"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr "<emphasis>d</emphasis> для дней"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 "Если единица измерения не указана, предполагается, что используется значение "
 "<emphasis>s</emphasis>."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
@@ -22136,17 +22317,17 @@ msgstr ""
 "время жизни равным полутора часам, укажите «90m», а не «1h30m»."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr "По умолчанию: не задано, то есть TGT не является обновляемым"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (строка)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
@@ -22155,14 +22336,14 @@ msgstr ""
 "которого следует единица измерения времени:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 "Если единица измерения не указана, предполагается, что используется значение "
 "<emphasis>s</emphasis>."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
@@ -22171,7 +22352,7 @@ msgstr ""
 "равным полутора часам, укажите «90m», а не «1h30m»."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
@@ -22179,12 +22360,12 @@ msgstr ""
 "в параметрах KDC."
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr "krb5_renew_interval (строка)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -22196,14 +22377,14 @@ msgstr ""
 "следует единица измерения времени:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 "Если этот параметр не указан или установлен в значение «0», автоматическое "
 "обновление отключено."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
@@ -22212,6 +22393,17 @@ msgstr ""
 "узла и участника-пользователя. Эта возможность доступна в MIT Kerberos 1.7 и "
 "выше."
 
+#~ msgid ""
+#~ "Apply additional checks on the PAC of the Kerberos ticket which is "
+#~ "available in Active Directory and FreeIPA domains, if configured. The "
+#~ "following options can be used alone or in a comma-separated list: "
+#~ "<placeholder type=\"variablelist\" id=\"0\"/>"
+#~ msgstr ""
+#~ "Применить дополнительные проверки PAC билета Kerberos, который, если "
+#~ "настроен, доступен в доменах Active Directory и FreeIPA. Указанные ниже "
+#~ "параметры можно использовать отдельно или в виде списка параметров, "
+#~ "разделенного запятыми: <placeholder type=\"variablelist\" id=\"0\"/>"
+
 #~ msgid ""
 #~ "NOTE: Some Active Directory groups, typically those used for MS Exchange "
 #~ "contain an <quote>@</quote> sign in the name, which clashes with the "
diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot
index b168c368775..400eac75c4a 100644
--- a/src/man/po/sssd-docs.pot
+++ b/src/man/po/sssd-docs.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.8.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -203,10 +203,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr ""
 
@@ -224,12 +224,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr ""
 
@@ -261,8 +261,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -292,7 +292,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -368,8 +368,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr ""
 
@@ -390,7 +390,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -410,12 +410,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> "
 "<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes "
@@ -424,39 +424,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -594,11 +594,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -864,8 +864,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1010,7 +1010,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1112,7 +1112,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1481,7 +1481,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1507,8 +1507,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1817,7 +1817,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1830,7 +1830,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be "
@@ -1845,7 +1845,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1907,8 +1907,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -1973,9 +1973,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -1990,7 +1990,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2086,48 +2086,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2245,7 +2245,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2280,7 +2280,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2290,7 +2290,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2310,7 +2310,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2673,25 +2673,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, "
+"i.e. the krb5_validate option must be set to 'True' which is the default for "
+"the IPA and AD provider. If krb5_validate is set to 'False' the PAC checks "
+"will be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2699,72 +2710,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> "
@@ -2775,66 +2784,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording "
 "enabled. Matches user names as returned by NSS. I.e. after the possible "
@@ -2842,17 +2851,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2860,7 +2869,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2869,56 +2878,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2928,12 +2937,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2942,14 +2951,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2958,38 +2967,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For "
@@ -2998,24 +3007,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3024,29 +3033,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3060,14 +3069,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3076,39 +3085,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3117,19 +3126,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3140,139 +3149,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3281,17 +3290,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3303,33 +3312,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3337,19 +3346,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3358,17 +3367,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3377,29 +3386,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> "
 "<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3408,7 +3417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3416,8 +3425,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3426,8 +3435,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3435,19 +3444,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified "
 "names. For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3456,7 +3465,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3464,24 +3473,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3493,27 +3502,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3521,7 +3541,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3529,29 +3549,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3559,19 +3579,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> "
@@ -3580,7 +3600,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> "
@@ -3589,29 +3609,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
@@ -3620,7 +3640,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3628,34 +3648,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3663,32 +3683,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3699,7 +3719,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3708,12 +3728,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3721,7 +3741,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3730,31 +3750,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3763,7 +3783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3772,17 +3792,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3790,41 +3810,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3832,7 +3852,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3840,7 +3860,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
@@ -3848,24 +3868,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3874,31 +3894,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
@@ -3907,7 +3927,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3916,12 +3936,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3931,7 +3951,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: "
 "<quote>(((?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?P&lt;name&gt;[^@\\\\]+)$))</quote> "
@@ -3939,29 +3959,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3969,103 +3989,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is "
@@ -4074,64 +4092,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4139,38 +4157,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4178,49 +4189,104 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+msgid "ldap_offline_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3707
+msgid "ldap_enumeration_refresh_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+msgid "ldap_enumeration_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+msgid "ldap_connection_expire_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+msgid "ldap_connection_expire_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4228,27 +4294,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4258,32 +4324,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4292,19 +4358,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4312,24 +4378,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4338,24 +4404,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4365,14 +4431,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4380,21 +4446,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4402,7 +4468,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4411,7 +4477,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4420,7 +4486,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called "
@@ -4429,29 +4495,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4459,12 +4525,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4472,12 +4538,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4486,12 +4552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4499,19 +4565,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> "
 "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> "
@@ -4529,7 +4595,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4537,17 +4603,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4556,7 +4622,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4566,7 +4632,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4586,12 +4652,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called "
@@ -4602,69 +4668,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4678,7 +4744,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4686,7 +4752,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like "
@@ -4695,55 +4761,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4752,17 +4818,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4770,26 +4836,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like "
@@ -4798,17 +4864,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file "
 "(<filename>/var/lib/sss/pubconf/pam_preauth_available</filename>)  exists "
@@ -4818,7 +4884,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4827,59 +4893,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4888,7 +4954,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4897,7 +4963,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4906,7 +4972,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, "
 "e.g. <quote>[prompting/password/sshd]</quote> to individual change the "
@@ -4914,12 +4980,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4949,7 +5015,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4958,7 +5024,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4966,7 +5032,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4977,7 +5043,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -4992,7 +5058,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5056,7 +5122,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5157,7 +5223,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5373,12 +5439,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5386,7 +5452,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5395,12 +5461,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups "
 "(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD "
@@ -5408,7 +5474,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5418,7 +5484,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5428,34 +5494,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5463,32 +5529,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5496,7 +5562,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5504,12 +5570,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5517,12 +5583,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> "
@@ -5533,12 +5599,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5547,12 +5613,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5561,7 +5627,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5572,36 +5638,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5609,29 +5675,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single "
 "request. Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5639,7 +5705,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use "
@@ -5647,7 +5713,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5655,17 +5721,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5675,12 +5741,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5688,17 +5754,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5706,12 +5772,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5719,7 +5785,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to "
 "0. Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5730,7 +5796,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5739,7 +5805,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5747,12 +5813,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5760,7 +5826,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5768,26 +5834,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5795,7 +5861,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5803,7 +5869,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5811,41 +5877,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in "
 "<filename>/etc/openldap/ldap.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5854,32 +5920,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5887,24 +5953,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5912,17 +5978,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5933,24 +5999,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5961,12 +6027,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5979,7 +6045,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -5991,17 +6057,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6009,49 +6075,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6059,29 +6125,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is "
 "used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of "
@@ -6093,7 +6159,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6101,7 +6167,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of "
 "SSSD. While the legacy name is recognized for the time being, users are "
@@ -6110,39 +6176,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6152,7 +6218,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> "
 "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
@@ -6161,26 +6227,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client "
 "side. The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use "
 "<citerefentry><refentrytitle>shadow</refentrytitle> "
@@ -6190,7 +6256,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6198,31 +6264,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6235,51 +6301,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6288,12 +6354,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6310,12 +6376,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6324,14 +6390,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6340,24 +6406,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6365,19 +6431,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6386,7 +6452,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, "
 "<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check "
@@ -6394,7 +6460,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6403,7 +6469,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option "
 "<emphasis>must</emphasis> include <quote>expire</quote> in order for the "
@@ -6411,22 +6477,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6436,7 +6502,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the "
 "<quote>ppolicy</quote> option and might be removed in a future release.  "
@@ -6444,7 +6510,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6457,12 +6523,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6472,7 +6538,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6482,38 +6548,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control "
@@ -6521,24 +6587,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6547,74 +6613,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6625,7 +6691,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6633,48 +6699,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6691,12 +6757,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6704,43 +6770,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval "
 "</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6748,14 +6814,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6765,19 +6831,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6785,7 +6851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6793,106 +6859,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is "
 "<emphasis>false</emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6901,59 +6967,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6962,22 +7028,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6986,14 +7052,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7001,7 +7067,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7014,27 +7080,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7050,13 +7116,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8067,7 +8133,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
@@ -9094,7 +9160,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9109,7 +9175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9124,12 +9190,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9150,12 +9216,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9179,17 +9245,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9197,17 +9263,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9215,7 +9281,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9225,7 +9291,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9243,7 +9309,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9256,12 +9322,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9280,60 +9346,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9464,26 +9530,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
@@ -9501,7 +9567,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10053,39 +10119,59 @@ msgid ""
 "Directory's LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink "
+"url=\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups\"> "
+"Active Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD "
+"forest. By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local "
+"domain. This is done to be in agreement with Active Directory's "
+"group-membership assignment which can be seen in the PAC of the Kerberos "
+"ticket of a user issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10093,7 +10179,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10101,7 +10187,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10109,19 +10195,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10129,26 +10215,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10157,7 +10243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10165,12 +10251,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10181,12 +10267,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the "
@@ -10195,7 +10281,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or "
 "forest. This extended filter would consist of: "
@@ -10204,7 +10290,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then "
 "<quote>NAME</quote> specifies the domain or subdomain the filter applies "
@@ -10213,14 +10299,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full "
@@ -10233,7 +10319,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the "
@@ -10242,7 +10328,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10260,24 +10346,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10286,7 +10372,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10295,12 +10381,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10310,7 +10396,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10319,7 +10405,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10328,7 +10414,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10338,21 +10424,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10362,7 +10448,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10378,22 +10464,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10401,22 +10487,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed "
 "access. When this option is set to True users will be allowed access only "
@@ -10427,7 +10513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10435,74 +10521,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10512,12 +10598,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10525,12 +10611,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10546,14 +10632,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10561,7 +10647,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10573,42 +10659,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10624,7 +10710,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10632,7 +10718,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10640,7 +10726,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10652,22 +10738,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10683,7 +10769,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10691,7 +10777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10699,7 +10785,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10711,22 +10797,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10741,14 +10827,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10756,7 +10842,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10768,22 +10854,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10799,14 +10885,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10814,7 +10900,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10825,19 +10911,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10845,7 +10931,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10857,29 +10943,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10887,12 +10973,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10905,57 +10991,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10963,17 +11049,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal "
 "task. The option expects 2 integers separated by a colon (':'). The first "
@@ -10983,17 +11069,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -11002,12 +11088,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11018,12 +11104,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11034,7 +11120,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11049,7 +11135,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting "
@@ -11062,7 +11148,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11073,19 +11159,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11095,7 +11181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and "
 "example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
@@ -11103,7 +11189,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11118,7 +11204,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11127,7 +11213,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11135,7 +11221,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11145,7 +11231,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16832,32 +16918,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION "
+"AUTHORITY</quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> "
+"should not be used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17538,95 +17635,110 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page for details). If ticket validation is disabled "
+"the PAC checks will be skipped as well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17634,12 +17746,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/sv.po b/src/man/po/sv.po
index ca397516800..feda5aff532 100644
--- a/src/man/po/sv.po
+++ b/src/man/po/sv.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2022-07-31 21:19+0000\n"
 "Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
 "Language-Team: Swedish <https://translate.fedoraproject.org/projects/sssd/"
@@ -244,10 +244,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Standard: true"
 
@@ -267,12 +267,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Standard: false"
 
@@ -311,8 +311,8 @@ msgstr ""
 "ingen effekt för andra loggningstyper)."
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -345,7 +345,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Standard: 10"
 
@@ -437,8 +437,8 @@ msgstr ""
 "dataleverantörskrasch eller -omstart innan de ger upp"
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Standard: 3"
 
@@ -465,7 +465,7 @@ msgstr ""
 "understrykningstecken. Tecknet ”/” är förbjudet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (sträng)"
 
@@ -490,12 +490,12 @@ msgstr ""
 "för mer information om dessa reguljära uttryck."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -506,32 +506,32 @@ msgstr ""
 "samman ett fullständigt kvalificerat namn från namn- och domänkomponenter."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "användarnamn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr "domännamn som det anges i SSSD-konfigurationsfilen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -540,7 +540,7 @@ msgstr ""
 "direkt konfigurerade eller hittade via IPA-förtroenden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -721,11 +721,11 @@ msgstr ""
 "utdata inte kvalificerat ens när flaggan default_domain_suffix används."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "Standard: inte satt"
 
@@ -1056,8 +1056,8 @@ msgstr ""
 "användarnamn kan överlappa mellan domäner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "Standard: inte satt"
 
@@ -1241,7 +1241,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Standard: 60"
 
@@ -1365,7 +1365,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Standard: 300"
 
@@ -1808,7 +1808,7 @@ msgstr ""
 "lösenords-cachen i minnet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr "Standard: 8"
 
@@ -1839,8 +1839,8 @@ msgstr ""
 "grupp-cachen i minnet."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Standard: 6"
@@ -2209,7 +2209,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr "Visa en varning N dagar före lösenordet går ut."
 
@@ -2224,7 +2224,7 @@ msgstr ""
 "lösenordet.  Om denna information saknas kan sssd inte visa någon varning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -2242,7 +2242,7 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> för en viss domän."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Standard: 0"
 
@@ -2318,8 +2318,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Standard: none"
 
@@ -2398,9 +2398,9 @@ msgstr ""
 "autentiseringsprocessen är detta alternativ avaktiverat som standard."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "Standard: False"
 
@@ -2415,7 +2415,7 @@ msgid "The path to the certificate database."
 msgstr "Sökvägen till certifikatdatabasen."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr "Standard:"
 
@@ -2536,48 +2536,48 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr "Standard: standarduppsättningen av PAM-tjänstenamn innefattar:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr "login"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr "su"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr "su-l"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr "gdm-smartcard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr "gdm-password"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr "sudo-i"
 
@@ -2721,7 +2721,7 @@ msgid "Default: no_session"
 msgstr "Standard: no_session"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr "pam_gssapi_services"
 
@@ -2764,7 +2764,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Exempel: <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -2774,7 +2774,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr "Standard: - (GSSAPI-autentisering är avaktiverat)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr "pam_gssapi_check_upn"
 
@@ -2799,7 +2799,7 @@ msgstr ""
 "autentiseras."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Standard: True"
@@ -3257,13 +3257,24 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "pac_check (sträng)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr "no_check"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
@@ -3272,12 +3283,12 @@ msgstr ""
 "kontroller att göras."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr "pac_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -3288,12 +3299,12 @@ msgstr ""
 "misslyckas."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr "check_upn"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
@@ -3302,22 +3313,22 @@ msgstr ""
 "(UPN) är konsistent."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr "upn_dns_info_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr "PAC:en måste innehålla bufferten UPN-DNS-INFO, implicerar ”check_upn”."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr "check_upn_dns_info_ex"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
@@ -3326,12 +3337,12 @@ msgstr ""
 "kontrollera om informationen i utökningen är konsistent."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr "upn_dns_info_ex_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
@@ -3340,20 +3351,19 @@ msgstr ""
 "”check_upn_dns_info_ex”, ”upn_dns_info_present” och ”check_upn”."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
-msgstr ""
-"Tillämpa ytterligare kontroller av PAC:en för Kerberos-biljetten vilka är "
-"tillgänglig i domänen Active Direcktory och FreeIPA, om konfigurerade. "
-"Följande alternativ kan användas ensamma eller i en kommaseparerad lista: "
+"The following options can be used alone or in a comma-separated list: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+"Följande utvidgningar stödjs: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
@@ -3361,12 +3371,12 @@ msgstr ""
 "check_upn_dns_info_ex”)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr "Konfigurationsalternativ för inspelning av sessioner"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -3382,33 +3392,33 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 "Dessa alternativ kan användas för att konfigurera inspelning av sessioner."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr "scope (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr "”none”"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr "Inga användare spelas in."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr "”some”"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
@@ -3417,17 +3427,17 @@ msgstr ""
 "och <replaceable>groups</replaceable> spelas in."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr "”all”"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr "Alla användare spelas in."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
@@ -3436,17 +3446,17 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr "Standard: ”none”"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr "users (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3457,17 +3467,17 @@ msgstr ""
 "efter eventuellt utbyte av mellanslag, ändring av skiftläge, etc."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr "Standard: Tomt. Matchar inte några användare."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr "groups (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3478,7 +3488,7 @@ msgstr ""
 "efter eventuellt utbyte av mellanslag, ändring av skiftläge, etc."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3490,17 +3500,17 @@ msgstr ""
 "användare måste hämtas och matchas mot grupperna användaren är en medlem i."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr "Standard: Tom. Matchar inga grupper."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr "exclude_users (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
@@ -3509,17 +3519,17 @@ msgstr ""
 "tillämpligt med ”scope=all”."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr "Standard: Tomt. Inga användare uteslutna."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr "exclude_groups (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
@@ -3528,22 +3538,22 @@ msgstr ""
 "inspelning. Endast tillämpligt med ”scope=all”."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr "Standard: Tom. Inga grupper uteslutna."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "DOMÄNSEKTIONER"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr "aktiverat"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3558,12 +3568,12 @@ msgstr ""
 "quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr "domain_type (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3576,7 +3586,7 @@ msgstr ""
 "operativsystemets gränssnitt och verktyg."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
@@ -3585,7 +3595,7 @@ msgstr ""
 "<quote>application</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3598,7 +3608,7 @@ msgstr ""
 "respondenten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
@@ -3607,7 +3617,7 @@ msgstr ""
 "<quote>id_provider=ldap</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
@@ -3616,17 +3626,17 @@ msgstr ""
 "<quote>Programdomäner</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr "Standard: posix"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3635,7 +3645,7 @@ msgstr ""
 "utanför dessa gränser ignoreras den."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3648,7 +3658,7 @@ msgstr ""
 "ligger i intervallet rapporteras som förväntat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -3657,17 +3667,17 @@ msgstr ""
 "när de returneras via namn eller ID."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Standard: 1 för min_id, 0 (ingen gräns) för max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3680,22 +3690,22 @@ msgstr ""
 "Denna parameter kan ha ett av följande värden:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Användare och grupper räknas upp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = Inga uppräkningar för denna domän"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Standard: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
@@ -3704,7 +3714,7 @@ msgstr ""
 "grupposter från fjärrservern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3727,7 +3737,7 @@ msgstr ""
 "med startas om av den interna vakthunden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3736,7 +3746,7 @@ msgstr ""
 "användar- eller grupplistan returnera utan resultat tills den är färdig."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3749,7 +3759,7 @@ msgstr ""
 "information, se manualsidorna för den specifika id-leverantören som används."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -3758,32 +3768,32 @@ msgstr ""
 "stora miljöer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Alla upptäckta betrodda domäner kommer räknas upp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Inga upptäckta betrodda domäner kommer räknas upp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3796,12 +3806,12 @@ msgstr ""
 "bara för dessa betrodda domäner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3810,7 +3820,7 @@ msgstr ""
 "bakänden igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3827,17 +3837,17 @@ msgstr ""
 "redan har cachats."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Standard: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -3846,19 +3856,19 @@ msgstr ""
 "bakänden igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "Standard: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -3867,12 +3877,12 @@ msgstr ""
 "bakänden igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -3881,12 +3891,12 @@ msgstr ""
 "frågar bakänden igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -3895,12 +3905,12 @@ msgstr ""
 "bakänden igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr "entry_cache_resolver_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
@@ -3909,12 +3919,12 @@ msgstr ""
 "den frågar bakänden igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -3923,12 +3933,12 @@ msgstr ""
 "igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -3937,12 +3947,12 @@ msgstr ""
 "giltiga före den frågar bakänden igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -3951,12 +3961,12 @@ msgstr ""
 "hur länge värdnyckeln skall cachas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr "entry_cache_computer_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
@@ -3965,12 +3975,12 @@ msgstr ""
 "igen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -3980,7 +3990,7 @@ msgstr ""
 "utgångna poster."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3993,17 +4003,17 @@ msgstr ""
 "uppdateras både användarposten och gruppmedlemskapet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr "Denna flagga ärvs automatiskt för alla betrodda domäner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr "Du kan överväga att sätta detta värde till ¾ · entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -4023,33 +4033,33 @@ msgstr ""
 "vilja manuellt invalidera den befintliga cachen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "Standard: 0 (avaktiverat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr "Bestämmer om användarkreditiv också cachas i den lokala LDB-cachen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr "Användarkreditiv sparas i en SHA512-kontrollsumma, inte i klartext"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr "cache_credentials_minimal_first_factor_length (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -4060,7 +4070,7 @@ msgstr ""
 "lösenord) måste ha för att sparas som en SHA512-kontrollsumma i cachen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
@@ -4070,12 +4080,12 @@ msgstr ""
 "attacker."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -4088,17 +4098,17 @@ msgstr ""
 "offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Standard: 0 (obegränsat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -4110,17 +4120,17 @@ msgstr ""
 "Dessutom måste en autentiseringsleverantör ha konfigurerats för bakänden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Standard: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -4128,12 +4138,12 @@ msgstr ""
 "stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr "<quote>proxy</quote>: Stöd en tidigare NSS-leverantör."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4144,7 +4154,7 @@ msgstr ""
 "information om hur lokala användare och grupper kan speglas in i SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4155,8 +4165,8 @@ msgstr ""
 "information om att konfigurera LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -4169,8 +4179,8 @@ msgstr ""
 "konfigurera FreeIPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4181,12 +4191,12 @@ msgstr ""
 "citerefentry> för mer information om att konfigurera Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -4195,7 +4205,7 @@ msgstr ""
 "full_name_format) som användarens inloggningsnamn rapporterat till NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -4209,7 +4219,7 @@ msgstr ""
 "command> skulle det."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -4221,7 +4231,7 @@ msgstr ""
 "namn begärs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
@@ -4230,17 +4240,17 @@ msgstr ""
 "default_domain_suffix används)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr "Returnera inte gruppmedlemmar för gruppuppslagningar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -4259,7 +4269,7 @@ msgstr ""
 "som om den vore tom."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -4269,13 +4279,26 @@ msgstr ""
 "hos åtkomstleverantören väsentligt snabbare, särskilt för grupper som "
 "innehåller många medlemmar."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+"Detta alternativ kan även sättas per underdomän eller ärvt via "
+"<emphasis>subdomain_inherit</emphasis>."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -4284,7 +4307,7 @@ msgstr ""
 "är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4295,7 +4318,7 @@ msgstr ""
 "citerefentry> för mer information om att konfigurera LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4306,7 +4329,7 @@ msgstr ""
 "citerefentry> för mer information om att konfigurera Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -4314,12 +4337,12 @@ msgstr ""
 "PAM-mål."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> avaktiverar explicit autentisering."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -4328,12 +4351,12 @@ msgstr ""
 "autentiseringsbegäranden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -4344,7 +4367,7 @@ msgstr ""
 "Interna specialleverantörer är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -4353,12 +4376,12 @@ msgstr ""
 "åtkomstleverantören för en lokal domän."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> neka alltid åtkomst."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -4371,7 +4394,7 @@ msgstr ""
 "konfigurera åtkomstmodulen simple."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -4382,24 +4405,24 @@ msgstr ""
 "citerefentry> för mer information om att konfigurera Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 "<quote>proxy</quote> för att skicka vidare åtkomstkontroll till någon annan "
 "PAM-modul."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "Standard: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -4408,7 +4431,7 @@ msgstr ""
 "av lösenordsändring som stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4419,7 +4442,7 @@ msgstr ""
 "manvolnum> </citerefentry> för mer information om att konfigurera LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4430,7 +4453,7 @@ msgstr ""
 "citerefentry> för mer information om att konfigurera Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -4438,12 +4461,12 @@ msgstr ""
 "annat PAM-mål."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> tillåter uttryckligen inte lösenordsändringar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -4452,18 +4475,18 @@ msgstr ""
 "hantera begäranden om ändring av lösenord."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "SUDO-leverantören som används för domänen.  SUDO-leverantörer som stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4474,7 +4497,7 @@ msgstr ""
 "citerefentry> för mer information om att konfigurera LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -4483,7 +4506,7 @@ msgstr ""
 "standardsinställningar för IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -4492,18 +4515,18 @@ msgstr ""
 "standardsinställningar för AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> avaktiverar explicit SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr "Standard: värdet på <quote>id_provider</quote> används om det är satt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -4520,7 +4543,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -4533,12 +4556,12 @@ msgstr ""
 "relaterad aktivitet i SSSD om du inte vill använda sudo med SSSD alls."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -4549,7 +4572,7 @@ msgstr ""
 "åtkomstleverantören avslutar.  Selinux-leverantörer som stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4560,14 +4583,14 @@ msgstr ""
 "manvolnum> </citerefentry> för mer information om att konfigurera IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> tillåter uttryckligen inte att hämta selinux-"
 "inställningar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -4576,12 +4599,12 @@ msgstr ""
 "begäranden om inläsning av selinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -4590,7 +4613,7 @@ msgstr ""
 "alltid vara samma som id_provider.  Underdomänsleverantörer som stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4602,7 +4625,7 @@ msgstr ""
 "konfigurera IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4615,17 +4638,17 @@ msgstr ""
 "konfigurera AD-leverantören."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> tillåter uttryckligen inte att hämta underdomäner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr "session_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4637,14 +4660,14 @@ msgstr ""
 "med IPA.  Sessionsleverantörer som stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 "<quote>ipa</quote> för att utföra uppgifter relaterade till "
 "användarsessioner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
@@ -4652,7 +4675,7 @@ msgstr ""
 "användarsessioner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
@@ -4661,7 +4684,7 @@ msgstr ""
 "sessionsrelaterade uppgifter."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
@@ -4671,12 +4694,12 @@ msgstr ""
 "användaren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -4684,7 +4707,7 @@ msgstr ""
 "är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4695,7 +4718,7 @@ msgstr ""
 "citerefentry> för mer information om att konfigurera LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4706,7 +4729,7 @@ msgstr ""
 "manvolnum> </citerefentry> för mer information om att konfigurera IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4718,17 +4741,17 @@ msgstr ""
 "leverantören."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> avaktiverar explicit autofs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -4737,7 +4760,7 @@ msgstr ""
 "leverantörer som stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4748,17 +4771,17 @@ msgstr ""
 "manvolnum> </citerefentry> för mer information om att konfigurera IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> avaktiverar explicit värd-id:n."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr "resolver_provider (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
@@ -4767,7 +4790,7 @@ msgstr ""
 "Uppslagsleverantörer som stödjs är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
@@ -4776,7 +4799,7 @@ msgstr ""
 "bibliotek. Se <quote>proxy_resolver_lib_name</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4787,7 +4810,7 @@ msgstr ""
 "manvolnum> </citerefentry> för mer information om att konfigurera LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4800,13 +4823,13 @@ msgstr ""
 "leverantören."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 "<quote>none</quote> tillåter uttryckligen inte att hämta värdar och nätverk."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4821,7 +4844,7 @@ msgstr ""
 "(NetBIOS) namnet på domänen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -4834,22 +4857,22 @@ msgstr ""
 "användarnamn:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "användarnamn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr "användarnamn@domän.namn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr "domän\\användarnamn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -4858,7 +4881,7 @@ msgstr ""
 "tredje för att tillåta enkel integration av användare från Windows-domäner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4869,17 +4892,17 @@ msgstr ""
 "quote>, sedan är domänen allting efter det”"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Standard: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -4888,44 +4911,44 @@ msgstr ""
 "uppslagningar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "Värden som stödjs:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: Försök slå upp IPv4-adresser, om det misslyckas, prova IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: Försök endast slå upp värdnamn som IPv4-adresser."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: Försök slå upp IPv6-adresser, om det misslyckas, prova IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: Försök endast slå upp värdnamn som IPv6-adresser."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "Standard: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_server_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
@@ -4934,7 +4957,7 @@ msgstr ""
 "DNS-server före den provar nästa DNS-server."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
@@ -4942,8 +4965,7 @@ msgstr ""
 "pingtidsgränsen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
@@ -4951,34 +4973,38 @@ msgstr ""
 "Se avsnittet <quote>RESERVER</quote> för mer information om tjänstevalet."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "Standard: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_op_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
+#, fuzzy
+#| msgid ""
+#| "Defines the amount of time (in seconds) to wait to resolve single DNS "
+#| "query (e.g. resolution of a hostname or an SRV record)  before try next "
+#| "hostname or DNS discovery."
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 "Definierar mängden tid (i sekunder) att vänta på att slå upp en viss DNS-"
 "fråga (t.ex. uppslagning av ett värdnamn eller en SRV-post) före den provar "
 "nästa värdnamn eller DNS-upptäckt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4990,12 +5016,12 @@ msgstr ""
 "nås kommer domänen fortsätta att fungera i frånkopplat läge."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -5004,52 +5030,52 @@ msgstr ""
 "fråga om tjänsteupptäckt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "Standard: använd domändelen av maskinens värdnamn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr "Ersätt det primära GID-värdet med det angivna."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr "Skiftlägeskänsligt. Detta värde är inte giltigt för AD-leverantörer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr "Skiftlägesokänsligt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -5060,7 +5086,7 @@ msgstr ""
 "tjänster även protokollnamn) fortfarande skiftas ner i utdata."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
@@ -5069,7 +5095,7 @@ msgstr ""
 "du sätta det på både klienten och SSSD på servern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
@@ -5078,26 +5104,17 @@ msgstr ""
 "värdena på alternativen är: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-"Detta alternativ kan även sättas per underdomän eller ärvt via "
-"<emphasis>subdomain_inherit</emphasis>."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr "Standard: True (False för AD-leverantören)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -5108,53 +5125,130 @@ msgstr ""
 "följande alternativ ärvas:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_expire_timeout (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+"ldap_krb5_keytab (värdet på krb5_keytab kommer användas om inte "
+"ldap_krb5_keytab sätts särskilt)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_expire_timeout (integer)"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_expire_timeout (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_offset (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_offset (heltal)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_expire_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
-msgstr ""
-"ldap_krb5_keytab (värdet på krb5_keytab kommer användas om inte "
-"ldap_krb5_keytab sätts särskilt)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
+msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr "auto_private_groups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr "case_sensitive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -5164,28 +5258,28 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 "Observera: detta alternativ fungerar endast med leverantörerna IPA och AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "platt (NetBIOS) namn på en underdomän."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -5200,36 +5294,36 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 "Värdet kan åsidosättas av alternativet <emphasis>override_homedir</emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Standard: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 "Diverse taggar lagrade av realmd-konfigurationstjänsten för denna domän."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr "cached_auth_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -5242,7 +5336,7 @@ msgstr ""
 "uppkopplad autentisering."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
@@ -5251,12 +5345,12 @@ msgstr ""
 "inte möjligt att ange olika värden för varje betrodd domän."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr "Specialvärdet 0 betyder att denna funktion är avaktiverad."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -5267,17 +5361,17 @@ msgstr ""
 "<quote>initgroups.</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr "auto_private_groups (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr "true"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
@@ -5286,7 +5380,7 @@ msgstr ""
 "GID-numret ignoreras i detta läge."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -5299,12 +5393,12 @@ msgstr ""
 "framtvingar unika nummer över hela ID-rymden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr "false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
@@ -5313,12 +5407,12 @@ msgstr ""
 "ett gruppobjekt i LDAP-databasen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr "hybrid"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -5333,7 +5427,7 @@ msgstr ""
 "upp till det gruppobjektet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
@@ -5342,7 +5436,7 @@ msgstr ""
 "kan GID:t helt enkelt inte slås upp."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -5353,7 +5447,7 @@ msgstr ""
 "befintliga användarnas privata grupper."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -5362,7 +5456,7 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
@@ -5372,7 +5466,7 @@ msgstr ""
 "översättning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -5382,7 +5476,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -5394,7 +5488,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -5408,7 +5502,7 @@ msgstr ""
 "id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -5419,17 +5513,17 @@ msgstr ""
 "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "Proxymålet PAM är en proxy för."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -5438,12 +5532,12 @@ msgstr ""
 "eller skapa en ny och lägga till tjänstenamnet här."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -5454,12 +5548,12 @@ msgstr ""
 "exempel _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr "proxy_resolver_lib_name (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -5470,12 +5564,12 @@ msgstr ""
 "_nss_$(libName)_$(function), till exempel _nss_dns_gethostbyname2_r."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -5488,12 +5582,12 @@ msgstr ""
 "SSSD att utföra ID-uppslagningen från cachen av prestandaskäl."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr "proxy_max_children (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -5505,7 +5599,7 @@ msgstr ""
 "begäranden skulle köas upp."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -5514,12 +5608,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr "Programdomäner"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -5548,7 +5642,7 @@ msgstr ""
 "traditionell SSSD-domän."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -5559,17 +5653,17 @@ msgstr ""
 "programdomänen och dess POSIX-syskondomän sätts korrekt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr "Programdomänparametrar"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr "inherit_from (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -5582,7 +5676,7 @@ msgstr ""
 "quote>domänens inställningar."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -5597,7 +5691,7 @@ msgstr ""
 "attributet telefon nåbart via D-Bus-gränssnittet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5631,12 +5725,12 @@ msgstr ""
 "ldap_user_extra_attrs = telefon:telephoneNumber\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr "SEKTIONEN BETRODDA DOMÄNER"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -5653,57 +5747,57 @@ msgstr ""
 "alternativ i sektionen för betrodda domäner är:"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr "ldap_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr "ldap_user_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr "ldap_group_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr "ldap_netgroup_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr "ldap_service_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr "ldap_sasl_mech,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr "ad_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr "ad_backup_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr "ad_site,"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr "use_fully_qualified_names"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
@@ -5712,12 +5806,12 @@ msgstr ""
 "manualsidan."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr "CERTIFIKATSMAPPNINGSSEKTION"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -5739,7 +5833,7 @@ msgstr ""
 "fallet när lokala tjänster använder PAM för autentisering."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -5751,7 +5845,7 @@ msgstr ""
 "detaljer)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -5764,12 +5858,12 @@ msgstr ""
 "replaceable>]</quote>.  I denna sektion är följande alternativ tillåtna:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr "matchrule (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
@@ -5778,7 +5872,7 @@ msgstr ""
 "alla andra ignoreras."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
@@ -5787,17 +5881,17 @@ msgstr ""
 "Extended Key Usage <quote>clientAuth</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr "maprule (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr "Definierar hur användaren hittas för ett givet certifikat."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
@@ -5806,7 +5900,7 @@ msgstr ""
 "<quote>ldap</quote>, <quote>AD</quote> eller <quote>ipa</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
@@ -5815,12 +5909,12 @@ msgstr ""
 "användare med samma namn."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr "domains (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5833,17 +5927,17 @@ msgstr ""
 "lägga till regeln till underdomäner också."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr "Standard: den konfigurerade domänen i sssd.conf"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr "priority (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5854,12 +5948,12 @@ msgstr ""
 "prioriteten medan <quote>4294967295</quote> är den lägsta."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr "Standard: den lägsta prioriteten"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
@@ -5869,7 +5963,7 @@ msgstr ""
 "speciella egenskaper:"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
@@ -5878,7 +5972,7 @@ msgstr ""
 "användaren"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -5891,17 +5985,17 @@ msgstr ""
 "short_name})</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr "alternativet <quote>domains</quote> ignoreras"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr "SEKTIONEN FÖR FRÅGEKONFIGURATION"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -5916,7 +6010,7 @@ msgstr ""
 "tillämpliga kreditiv."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -5929,22 +6023,22 @@ msgstr ""
 "användarfall. Följande alternativ bör ge en bättre flexibilitet här."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr "[prompting/password]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr "password_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr "för att ändra strängen i lösenordsfrågan"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -5953,37 +6047,37 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr "[prompting/2fa]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr "first_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr "för att ändra strängen som frågar efter den första faktorn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr "second_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr "för att ändra strängen som frågar efter den andra faktorn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr "single_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -5996,7 +6090,7 @@ msgstr ""
 "faktorn är frivillig."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -6009,7 +6103,7 @@ msgstr ""
 "med lösenordet eller med båda faktorerna måste tvåstegsförfrågan användas."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -6022,7 +6116,7 @@ msgstr ""
 ">"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -6033,12 +6127,12 @@ msgstr ""
 "enskilt för denna tjänst."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr "EXEMPEL"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -6092,7 +6186,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -6104,7 +6198,7 @@ msgstr ""
 "domäner för fler detaljer. <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -6114,7 +6208,7 @@ msgstr ""
 "use_fully_qualified_names = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -6130,7 +6224,7 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -6152,7 +6246,7 @@ msgstr ""
 "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MIN,DC=DOMÄN$&lt;SUBJECT&gt;^CN=User.Name,DC=MIN,DC=DOMÄN$\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -6235,7 +6329,7 @@ msgstr ""
 "information om att använda LDAP som en åtkomstleverantör."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -6353,7 +6447,7 @@ msgstr ""
 "ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Exempel:"
@@ -6603,12 +6697,12 @@ msgstr ""
 "uppräknade poster."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -6619,7 +6713,7 @@ msgstr ""
 "att spara utrymme."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -6632,12 +6726,12 @@ msgstr ""
 "Som standard kör rensningsjobbet var 3:e timma när uppräkning är aktiverat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -6648,7 +6742,7 @@ msgstr ""
 "kommer följa. Detta alternativ har ingen effekt på schemat RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -6664,7 +6758,7 @@ msgstr ""
 "ursprungliga uppslagningen om den slås upp igen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -6679,12 +6773,12 @@ msgstr ""
 "false för att begränsa gruppnästning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "Standard: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -6694,22 +6788,22 @@ msgstr ""
 "2008 och senare."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr "Standard: true för AD och IPA annars false."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr "ldap_host_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr "Frivillig. Använd den givna strängen som en sökbas för värdobjekt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -6719,32 +6813,32 @@ msgstr ""
 "multipla sökbaser."
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Standard: värdet på <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr "ldap_iphost_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr "ldap_ipnetwork_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -6754,7 +6848,7 @@ msgstr ""
 "och cachade resultat returneras (och går in i frånkopplat läge)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -6765,12 +6859,12 @@ msgstr ""
 "specifika uppslagningstyper."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -6781,12 +6875,12 @@ msgstr ""
 "returneras (och går in i frånkopplat läge)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -6803,12 +6897,12 @@ msgstr ""
 "citerefentry> returnerar om inget händer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -6822,12 +6916,12 @@ msgstr ""
 "operationen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -6840,7 +6934,7 @@ msgstr ""
 "(detta värde eller TGT-livslängden) användas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -6851,7 +6945,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
@@ -6860,17 +6954,17 @@ msgstr ""
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "Standard: 900 (15 minuter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr "ldap_connection_expire_offset (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
@@ -6879,14 +6973,14 @@ msgstr ""
 "till<emphasis>ldap_connection_expire_timeout</emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 #, fuzzy
 #| msgid "ldap_connection_expire_timeout (integer)"
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 #, fuzzy
 #| msgid ""
 #| "Specifies a timeout (in seconds) that a connection to an LDAP server will "
@@ -6904,19 +6998,19 @@ msgstr ""
 "(detta värde eller TGT-livslängden) användas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 #, fuzzy
 #| msgid "You can disable this offset by setting the value to 0."
 msgid "You can disable this timeout by setting the value to 0."
 msgstr "Man kan avaktivera denna fördröjning genom att sätta värdet till 0."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -6925,12 +7019,12 @@ msgstr ""
 "LDAP-servrar framtvingar en maximal gräns per begäran."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -6941,7 +7035,7 @@ msgstr ""
 "RootDSE men det inte är aktiverat eller inte fungerar som det skall."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -6951,7 +7045,7 @@ msgstr ""
 "den."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -6962,17 +7056,17 @@ msgstr ""
 "att några begäranden nekas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr "Avaktivera Active Directory intervallhämtning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -6988,12 +7082,12 @@ msgstr ""
 "medlemmar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -7004,17 +7098,17 @@ msgstr ""
 "detta alternativ är definierat av OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr "Standard: använd systemstandard (vanligen angivet i ldap.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr "ldap_sasl_maxssf (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -7025,12 +7119,12 @@ msgstr ""
 "detta alternativ är definierat av OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -7041,7 +7135,7 @@ msgstr ""
 "individuellt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -7058,7 +7152,7 @@ msgstr ""
 "rootDSE-objektet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -7071,7 +7165,7 @@ msgstr ""
 "OpenLDAP och Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -7082,12 +7176,12 @@ msgstr ""
 "oavsett denna inställning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr "ldap_ignore_unreadable_references (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -7098,7 +7192,7 @@ msgstr ""
 "misslyckas istället för att den oläsbara posten bara ignoreras."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -7109,12 +7203,12 @@ msgstr ""
 "en viss post eller ett visst LDAP-underträd av säkerhetsskäl."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -7123,7 +7217,7 @@ msgstr ""
 "några. Det kan anges som ett av följande värden:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -7132,7 +7226,7 @@ msgstr ""
 "några servercertifikat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7143,7 +7237,7 @@ msgstr ""
 "tillhandahålls kommer det ignoreras och sessionen fortsätta normalt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7154,7 +7248,7 @@ msgstr ""
 "tillhandahålls avslutas sessionen omedelbart."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -7165,22 +7259,22 @@ msgstr ""
 "sessionen omedelbart."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = Samma som <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "Standard: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -7189,7 +7283,7 @@ msgstr ""
 "<command>sssd</command> kommer godkänna."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -7198,12 +7292,12 @@ msgstr ""
 "openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -7217,32 +7311,32 @@ msgstr ""
 "namnen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "Anger filen som innehåller certifikatet för klientens nyckel."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr "Anger filen som innehåller klientens nyckel."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -7253,12 +7347,12 @@ msgstr ""
 "manvolnum></citerefentry> för formatet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -7267,12 +7361,12 @@ msgstr ""
 "class=\"protocol\">tls</systemitem> för att skydda kanalen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -7283,18 +7377,18 @@ msgstr ""
 "förlita sig på ldap_user_uid_number och ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "För närvarande stödjer denna funktion endast ActiveDirectory objectSID."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr "ldap_min_id, ldap_max_id (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -7312,17 +7406,17 @@ msgstr ""
 "Underdomäner kan sedan välja andra intervall för att översätta ID:n."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr "Standard: inte satt (båda alternativen är satta till 0)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
@@ -7331,7 +7425,7 @@ msgstr ""
 "GSSAPI och GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -7347,12 +7441,12 @@ msgstr ""
 "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> för detaljer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -7372,7 +7466,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -7392,17 +7486,17 @@ msgstr ""
 "keytab."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr "Standard: host/värdnamn@RIKE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -7413,17 +7507,17 @@ msgstr ""
 "ignoreras detta alternativ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "Standard: värdet på krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -7432,34 +7526,34 @@ msgstr ""
 "att ta fram värdnamnets kanoniska form under en SASL-bindning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Standard: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 "Ange den keytab som skall användas vid användning av SASL/GSSAPI/GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Standard: Systemets keytab, normalt <filename>/etc/krb5.keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -7470,29 +7564,29 @@ msgstr ""
 "eller GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 "Anger livslängden i sekunder på TGT:n om GSSAPI eller GSS-SPNEGO används."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Standard: 86400 (24 timmar)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -7510,7 +7604,7 @@ msgstr ""
 "mer information, se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -7521,7 +7615,7 @@ msgstr ""
 "hittas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -7533,27 +7627,27 @@ msgstr ""
 "quote> istället."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr "Ange Kerberos-RIKE (för SASL/GSSAPI/GSS-SPNEGO aut)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr "Standard: Systemstandard, se <filename>/etc/krb5.conf</filename>"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -7562,12 +7656,12 @@ msgstr ""
 "servern. Denna funktion är tillgänglig med MIT Kerberos ≥ 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -7582,7 +7676,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -7593,12 +7687,12 @@ msgstr ""
 "om lokaliseringsinsticksmodulen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -7607,7 +7701,7 @@ msgstr ""
 "värden är tillåtna:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -7616,7 +7710,7 @@ msgstr ""
 "alternativ kan inte avaktivera lösenordspolicyer på serversidan."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 #, fuzzy
 #| msgid ""
 #| "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
@@ -7633,7 +7727,7 @@ msgstr ""
 "manvolnum></citerefentry> för att utvärdera om lösenordet har gått ut."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -7644,7 +7738,7 @@ msgstr ""
 "chpass_provider=krb5 för att uppdatera dessa attribut när lösenordet ändras."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -7653,17 +7747,17 @@ msgstr ""
 "kommer den alltid gå före framför policyn som sätts med detta alternativ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr "Anger huruvida automatisk uppföljning av referenser skall aktiveras."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -7672,7 +7766,7 @@ msgstr ""
 "kompilerad med OpenLDAP version 2.4.13 eller senare."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -7693,28 +7787,28 @@ msgstr ""
 "data vara tillgängliga."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Anger tjänstenamnet som skall användas när tjänsteupptäckt är aktiverat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "Standard: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -7723,17 +7817,17 @@ msgstr ""
 "lösenordsändringar när tjänsteupptäckt är aktiverat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "Standard: inte satt, d.v.s. tjänsteupptäckt är avaktiverat"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -7742,7 +7836,7 @@ msgstr ""
 "dagar sedan epoken efter en ändring av lösenord."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -7751,12 +7845,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -7784,12 +7878,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Exempel:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -7801,7 +7895,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -7810,7 +7904,7 @@ msgstr ""
 "användare vars attribut employeeType är satt till ”admin”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -7823,17 +7917,17 @@ msgstr ""
 "fortsätta ges åtkomst under frånkoppling, och vice versa."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "Standard: Empty"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -7842,7 +7936,7 @@ msgstr ""
 "åtkomststyrningsattribut aktiveras."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -7853,12 +7947,12 @@ msgstr ""
 "felkod även om lösenordet är korrekt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "Följande värden är tillåtna:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -7867,7 +7961,7 @@ msgstr ""
 "att avgöra om kontot har gått ut."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -7880,7 +7974,7 @@ msgstr ""
 "kontrolleras också."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -7891,7 +7985,7 @@ msgstr ""
 "tillåts eller inte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -7903,7 +7997,7 @@ msgstr ""
 "för att avgöra om åtkomst tillåts. Om båda attributen saknas tillåts åtkomst."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -7914,23 +8008,23 @@ msgstr ""
 "ldap_account_expire_policy skall fungera."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Kommaseparerad lista över åtkomststyrningsalternativ.  Tillåtna värden är:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: använd ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -7945,7 +8039,7 @@ msgstr ""
 "fungera."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
@@ -7955,7 +8049,7 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -7976,12 +8070,12 @@ msgstr ""
 "måste vara satt för att denna funktion skall fungera."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: använd ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -7996,7 +8090,7 @@ msgstr ""
 "exempel SSH-nycklar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -8010,7 +8104,7 @@ msgstr ""
 "pwd_expire_policy_renew – användaren ombeds ändra sitt lösenord omedelbart."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
@@ -8018,7 +8112,7 @@ msgstr ""
 "meddelande av SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
@@ -8028,7 +8122,7 @@ msgstr ""
 "lämplig lösenordspolicy."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -8037,13 +8131,13 @@ msgstr ""
 "för att avgöra åtkomst"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: använd attributet host för att avgöra åtkomst"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
@@ -8052,7 +8146,7 @@ msgstr ""
 "fjärrvärdar kan få åtkomst"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
@@ -8062,12 +8156,12 @@ msgstr ""
 "åtkomstkontroll aktiveras"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Standard: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -8076,12 +8170,12 @@ msgstr ""
 "gång."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -8094,22 +8188,22 @@ msgstr ""
 "LDAP-servern inte kan kontrolleras ordentligt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Exempel: cn=ppolicy,ou=policies,dc=example,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr "Standard: cn=ppolicy,ou=policies,$ldap_search_base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -8118,12 +8212,12 @@ msgstr ""
 "alternativ är tillåtna:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis>: Alias är aldrig derefererade."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -8132,7 +8226,7 @@ msgstr ""
 "basobjektet, men inte vid lokalisering av basobjektet för sökningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -8141,7 +8235,7 @@ msgstr ""
 "basobjektet för sökningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -8150,7 +8244,7 @@ msgstr ""
 "lokalisering av basobjektet för sökningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -8159,12 +8253,12 @@ msgstr ""
 "klientbiblioteken)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -8173,7 +8267,7 @@ msgstr ""
 "servrar som använder schemat RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -8190,7 +8284,7 @@ msgstr ""
 "via anrop av getpw*() eller initgroups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -8201,12 +8295,12 @@ msgstr ""
 "de lokala användarna med de extra LDAP-grupperna."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr "wildcard_limit (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
@@ -8215,23 +8309,23 @@ msgstr ""
 "jokertecken."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 "För närvarande stödjer endast respondenten InfoPipe jokeruppslagningar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr "Standard: 1000 (ofta storleken på en sida)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr "ldap_library_debug_level (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
@@ -8240,7 +8334,7 @@ msgstr ""
 "kommer skrivas oberoende av den allmänna debug_level."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
@@ -8249,7 +8343,7 @@ msgstr ""
 "komponenter, -1 kommer aktivera fullständig felsökningsutmatning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr "Standard: 0 (libldap-felsökning avaktiverat)"
 
@@ -8274,12 +8368,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "SUDOALTERNATIV"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -8290,12 +8384,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -8305,7 +8399,7 @@ msgstr ""
 "servern)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -8314,7 +8408,7 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
@@ -8323,17 +8417,17 @@ msgstr ""
 "0. Dock måste antingen smart eller fullständig uppdatering aktiveras."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "Standard: 21600 (6 timmar)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -8344,7 +8438,7 @@ msgstr ""
 "USN-värde som för närvarande är känt av SSSD)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -8353,7 +8447,7 @@ msgstr ""
 "istället."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -8369,7 +8463,7 @@ msgstr ""
 "<emphasis>ldap_connection_expire_timeout</emphasis>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
@@ -8378,12 +8472,12 @@ msgstr ""
 "Dock måste antingen smart eller fullständig uppdatering aktiveras."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_sudo_random_offset (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -8394,7 +8488,7 @@ msgstr ""
 "schemaläggs. Värdet är i sekunder."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -8405,17 +8499,17 @@ msgstr ""
 "tiden under vilken sudo-reglerna inte är tillgängliga för användning."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr "Man kan avaktivera denna fördröjning genom att sätta värdet till 0."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -8424,12 +8518,12 @@ msgstr ""
 "(genom användning av IPv4- och IPv6-värd-/-nätverksadresser och värdnamn)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -8438,7 +8532,7 @@ msgstr ""
 "domännamn som skall användas för att filtrera reglerna."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -8447,8 +8541,8 @@ msgstr ""
 "fullständigt kvalificerade domännamnet automatiskt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -8457,17 +8551,17 @@ msgstr ""
 "emphasis> har detta alternativ ingen effekt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr "Standard: inte angivet"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -8476,7 +8570,7 @@ msgstr ""
 "skall användas för att filtrera reglerna."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -8485,12 +8579,12 @@ msgstr ""
 "automatiskt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -8499,12 +8593,12 @@ msgstr ""
 "attributet sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -8513,7 +8607,7 @@ msgstr ""
 "attributet sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
@@ -8522,7 +8616,7 @@ msgstr ""
 "LDAP-serversidan!"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -8535,12 +8629,12 @@ msgstr ""
 "manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "AUTOFSALTERNATIV"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
@@ -8548,47 +8642,47 @@ msgstr ""
 "Några av standardvärdena för parametrar nedan är beroende på LDAP-schemat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "Namnet på automount master-kartan i LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr "Standard: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "AVANCERADE ALTERNATIV"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -8601,22 +8695,22 @@ msgstr ""
 "avaktivera denna funktion om gruppnamn inte visas korrekt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -8629,14 +8723,14 @@ msgstr ""
 "type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "EXEMPEL"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -8646,7 +8740,7 @@ msgstr ""
 "till en av domänerna i avsnittet <replaceable>[domains]</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8666,20 +8760,20 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr "LDAP-ÅTKOMSTFILTEREXEMPEL"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
@@ -8688,7 +8782,7 @@ msgstr ""
 "ldap_access_order=lockout används."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8714,13 +8808,13 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTER"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9992,7 +10086,7 @@ msgstr ""
 "tillämpligt på grupper i denna SSSD-domän. Lokala grupper utvärderas inte."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -11240,7 +11334,7 @@ msgstr ""
 "identifiera denna värd.  Värdnamnet måste vara fullständigt kvalificerat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (boolean)"
 
@@ -11260,7 +11354,7 @@ msgstr ""
 "alternativet <quote>dyndns_iface</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -11280,12 +11374,12 @@ msgstr ""
 "använda <emphasis>dyndns_update</emphasis> i sin konfigurationsfil."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -11312,12 +11406,12 @@ msgid "Default: 1200 (seconds)"
 msgstr "Standard: 1200 (sekunder)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -11350,17 +11444,17 @@ msgstr ""
 "förbindelsen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr "Exempel: dyndns_iface = em1, vnet1, vnet2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr "dyndns_auth (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -11371,17 +11465,17 @@ msgstr ""
 "sätta detta alternativ till ”none”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr "Standard: GSS-TSIG"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_auth_ptr (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -11392,7 +11486,7 @@ msgstr ""
 "sätta detta alternativ till ”none”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr "Standard: samma som dyndns_auth"
 
@@ -11402,7 +11496,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr "Aktiverar DNS-sajter – platsbaserat tjänsteupptäckt."
 
@@ -11426,7 +11520,7 @@ msgstr ""
 "upptäckten används som backup-servrar"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (heltal)"
 
@@ -11442,12 +11536,12 @@ msgstr ""
 "alternativ är valfritt och tillämpligt endast när dyndns_update är sann."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -11470,12 +11564,12 @@ msgid "Default: False (disabled)"
 msgstr "Standard: False (avaktiverat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -11484,17 +11578,17 @@ msgstr ""
 "med DNS-servern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Standard: False (låt nsupdate välja protokollet)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr "dyndns_server (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
@@ -11503,7 +11597,7 @@ msgstr ""
 "flesta uppsättningar rekommenderas det att låta detta alternativ vara osatt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
@@ -11512,7 +11606,7 @@ msgstr ""
 "skild från identitetsservern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
@@ -11522,17 +11616,17 @@ msgstr ""
 "inställningar misslyckas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr "Standard: Ingen (låt nsupdate välja servern)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr "dyndns_update_per_family (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -11679,12 +11773,12 @@ msgstr ""
 "till bas-DN:en för att användas när LDAP-operationer utförs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
@@ -11693,7 +11787,7 @@ msgstr ""
 "för Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
@@ -11702,7 +11796,7 @@ msgstr ""
 "”none”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -11726,7 +11820,7 @@ msgstr ""
 "görs många begäranden om skrivbordsprofiler under en kort tid."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "Standard: 5 (sekunder)"
 
@@ -12405,13 +12499,47 @@ msgstr ""
 "skiftlägesokänsliga i AD-leverantören för kompatibilitet med Active "
 "Directorys LDAP-implementation."
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+#, fuzzy
+#| msgid ""
+#| "If this option is set to <quote>true</quote> SSSD will not filter out "
+#| "Domain Local groups from remote domains in the AD forest. By default they "
+#| "are filtered out e.g. when following a nested group hierarchy in remote "
+#| "domains because they are not valid in the local domain. To be compatible "
+#| "with other solutions which make AD users and groups available on Linux "
+#| "client this option was added."
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+"Om detta alternativ är satt till <quote>sant</quote> kommer SSSD inte att "
+"filtrera ut domänlokala grupper från fjärrdomäner i AD-skogen. Som standard "
+"filtreras de ut t.ex. när man följer en nästad grupphierarki i fjärrdomäner "
+"för att de inte är giltiga i den lokala domänen. För att vara kompatibel med "
+"andra lösningar som gör AD-användare och -grupper tillgängliga i "
+"Linuxklienter lades detta alternativ till."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -12420,7 +12548,7 @@ msgstr ""
 "anges används namnet på den konfigurerade domänen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -12429,7 +12557,7 @@ msgstr ""
 "versionen av den långa versionen av Active Directorys domän."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -12438,12 +12566,12 @@ msgstr ""
 "detekteras automatiskt av SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr "ad_enabled_domains (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -12455,7 +12583,7 @@ msgstr ""
 "vara tillgängliga."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -12465,7 +12593,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -12476,7 +12604,7 @@ msgstr ""
 "exempel: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
@@ -12485,12 +12613,12 @@ msgstr ""
 "kommer detekteras automatiskt av SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -12501,7 +12629,7 @@ msgstr ""
 "serverredundans se avsnittet <quote>RESERVER</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
@@ -12510,7 +12638,7 @@ msgstr ""
 "tjänsteupptäckt se avsnittet <quote>TJÄNSTEUPPTÄCKT</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
@@ -12519,12 +12647,12 @@ msgstr ""
 "om den primära servern definieras uttryckligen i alternativet ad_server."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -12537,7 +12665,7 @@ msgstr ""
 "sätt då denna parameter uttryckligen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -12548,12 +12676,12 @@ msgstr ""
 "keytab:en gavs ut för."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -12570,12 +12698,12 @@ msgstr ""
 "sajtupptäckten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -12588,7 +12716,7 @@ msgstr ""
 "quote> för att detta alternativ skall ha någon effekt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -12601,7 +12729,7 @@ msgstr ""
 "eller utelämnas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -12614,7 +12742,7 @@ msgstr ""
 "domäner från skogen som anges av <quote>NAMN</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
@@ -12623,7 +12751,7 @@ msgstr ""
 "sökbaser fungerar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -12644,7 +12772,7 @@ msgstr ""
 "utökningar</ulink>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -12657,7 +12785,7 @@ msgstr ""
 "fler matchningar med samma specifikation används den första."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -12687,12 +12815,12 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr "ad_site (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
@@ -12701,12 +12829,12 @@ msgstr ""
 "alternativ inte anges kommer AD-sajten att automatupptäckas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -12719,7 +12847,7 @@ msgstr ""
 "endast ansluter till LDAP-porten på den aktuella AD-servern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -12732,12 +12860,12 @@ msgstr ""
 "användas för att slå upp gruppmedlemskap över domäner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -12752,7 +12880,7 @@ msgstr ""
 "quote> för att detta alternativ skall ha någon effekt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -12765,7 +12893,7 @@ msgstr ""
 "policyinställningarna se flaggan  <quote>ad_gpo_map</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -12778,7 +12906,7 @@ msgstr ""
 "uppströms ärendehanterare https://github.com/SSSD/sssd/issues/5063 ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -12793,7 +12921,7 @@ msgstr ""
 "grupper den tillhör ha följande rättigheter på GPO:n:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
@@ -12802,7 +12930,7 @@ msgstr ""
 "egenskaperna hos GPO:n (RIGHT_DS_READ_PROPERTY)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
@@ -12811,7 +12939,7 @@ msgstr ""
 "ha tillåtelse att verkställa GPO:n (RIGHT_DS_CONTROL_ACCESS)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -12826,7 +12954,7 @@ msgstr ""
 "autentiserade användarens grupprättigheter på GPO:n för användaren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -12852,12 +12980,12 @@ msgstr ""
 "<manvolnum>8</manvolnum></citerefentry>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr "Det finns tre stödda värden för detta alternativ:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
@@ -12865,12 +12993,12 @@ msgstr ""
 "påtvingas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr "enforcing: GPO-baserade åtkomstkontrollregler evalueras och påtvingas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -12882,22 +13010,22 @@ msgstr ""
 "till enforcing."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr "Standard: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr "Standard: enforcing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr "ad_gpo_implicit_deny (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -12915,7 +13043,7 @@ msgstr ""
 "tillämpliga på dem."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -12926,74 +13054,74 @@ msgstr ""
 "på serversidan och inställningen av ad_gpo_implicit_deny."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr "ad_gpo_implicit_deny = False (standard)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr "tillåtelseregler"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr "nekanderegler"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr "resultat"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr "saknas"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr "alla användare tillåts"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr "finns"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr "endast användare som inte finns i nekanderegler tillåts"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr "endast användare i tillåtelseregler tillåts"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr "endast användare i tillåtelse och inte i nekanderegler tillåts"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr "ad_gpo_implicit_deny = True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr "inga användare tillåts"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr "ad_gpo_ignore_unreadable (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -13008,12 +13136,12 @@ msgstr ""
 "för SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -13024,12 +13152,12 @@ msgstr ""
 "begäranden om åtkomstkontroll under en kort tid."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -13057,7 +13185,7 @@ msgstr ""
 "policyinställningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
@@ -13066,7 +13194,7 @@ msgstr ""
 "”Tillåt inloggning lokalt” och ”Neka inloggning lokalt”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -13076,7 +13204,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13096,42 +13224,42 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr "gdm-fingerprint"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr "lightdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr "lxdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr "sddm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr "unity"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr "xdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -13159,7 +13287,7 @@ msgstr ""
 "den policyinställningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -13170,7 +13298,7 @@ msgstr ""
 "fjärrinloggningstjänster”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -13180,7 +13308,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13200,22 +13328,22 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr "sshd"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr "cockpit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -13242,7 +13370,7 @@ msgstr ""
 "denne eller åtminstone en av dess grupper är del av den policyinställningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -13253,7 +13381,7 @@ msgstr ""
 "nätverket”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -13263,7 +13391,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13283,22 +13411,22 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr "ftp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr "samba"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -13325,7 +13453,7 @@ msgstr ""
 "policyinställningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
@@ -13335,7 +13463,7 @@ msgstr ""
 "jobb”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -13345,7 +13473,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13365,7 +13493,7 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
@@ -13373,17 +13501,17 @@ msgstr ""
 "används."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr "crond"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -13410,7 +13538,7 @@ msgstr ""
 "denne eller åtminstone en av dess grupper är del av den policyinställningen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
@@ -13419,7 +13547,7 @@ msgstr ""
 "”Tillåt inloggning som en tjänst” och ”Neka inloggning som en tjänst”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -13429,7 +13557,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -13447,12 +13575,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
@@ -13461,7 +13589,7 @@ msgstr ""
 "alltid tillåts, oavsett några andra GPO-inloggningsrättigheter."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -13471,7 +13599,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13491,22 +13619,22 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr "polkit-1"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr "systemd-user"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
@@ -13515,7 +13643,7 @@ msgstr ""
 "alltid nekas, oavsett några andra GPO-inloggningsrättigheter."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -13525,12 +13653,12 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -13552,57 +13680,57 @@ msgstr ""
 "för omappade PAM-tjänstenamn."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr "Värden som stödjs för detta alternativ inkluderar:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr "interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr "remote_interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr "network"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr "batch"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr "service"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr "permit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr "deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr "Standard: deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr "ad_maximum_machine_account_password_age (heltal)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -13613,17 +13741,17 @@ msgstr ""
 "förhindra förnyelseförsöket."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr "Standard: 30 dagar"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr "ad_machine_account_password_renewal_opts (sträng)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -13638,17 +13766,17 @@ msgstr ""
 "i sekunder före funktionen körs för första gången efter uppstart."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Standard: 86400:750 (24h och 15m)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr "ad_update_samba_machine_account_password (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -13661,12 +13789,12 @@ msgstr ""
 "AD för autentisering."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr "ad_use_ldaps (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -13684,12 +13812,12 @@ msgstr ""
 "(noll) för dessa förbindelser."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "ad_allow_remote_domain_local_groups (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -13706,7 +13834,7 @@ msgstr ""
 "Linuxklienter lades detta alternativ till."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -13731,7 +13859,7 @@ msgstr ""
 "också de domänlokala fjärrgrupperna saknas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -13751,7 +13879,7 @@ msgstr ""
 "endast finns med en djupare nästningsnivå."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -13768,12 +13896,12 @@ msgstr ""
 "på annat sätt med alternativet <quote>dyndns_iface</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr "Standard: 3600 (sekunder)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
@@ -13782,7 +13910,7 @@ msgstr ""
 "förbindelsen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -13797,7 +13925,7 @@ msgstr ""
 "mindre än 60 ges kommer parametern endast anta det lägsta värdet."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -13808,7 +13936,7 @@ msgstr ""
 "exempel visar endast alternativ som är specifika för leverantören AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -13832,7 +13960,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -13844,7 +13972,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -13855,7 +13983,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -13870,7 +13998,7 @@ msgstr ""
 "krypteringsdetaljer) manuellt."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -20813,16 +20941,30 @@ msgstr "Skaparauktoritet"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
+#, fuzzy
+#| msgid "Creator Authority"
+msgid "Mandatory Label Authority"
+msgstr "Skaparauktoritet"
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:295
+#, fuzzy
+#| msgid "Authentication failure."
+msgid "Authentication Authority"
+msgstr "Autentiseringsfel."
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
 msgid "NT Authority"
 msgstr "NT-auktoritet"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
-#: include/ldap_id_mapping.xml:295
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr "Inbyggd"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
@@ -20831,16 +20973,27 @@ msgstr ""
 "fullständigt kvalificerade namnet på en välkänd SID returneras."
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
+#, fuzzy
+#| msgid ""
+#| "Since some utilities allow to modify SID based access control information "
+#| "with the help of a name instead of using the SID directly SSSD supports "
+#| "to look up the SID by the name as well. To avoid collisions only the "
+#| "fully qualified names can be used to look up Well-Known SIDs. As a result "
+#| "the domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</"
+#| "quote>, <quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</"
+#| "quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not "
+#| "be used as domain names in <filename>sssd.conf</filename>."
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 "Eftersom några verktyg tillåter att man ändrar SID-baserad "
 "åtkomststyrningsinformation med hjälp av ett namn istället för att använda "
@@ -21688,13 +21841,38 @@ msgstr ""
 "placera den motsvarande keytab-posten som sista post eller den enda posten i "
 "keytab-filen."
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+#, fuzzy
+#| msgid "Default: false (AD provider: true)"
+msgid "Default: false (IPA and AD provider: true)"
+msgstr "Standard: false (AD-leverantör: true)"
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"Se parametern <quote>dns_discovery_domain</quote> i manualsidan "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> för fler detaljer."
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (sträng)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
@@ -21703,36 +21881,36 @@ msgstr ""
 "omedelbart följd av en tidsenhet:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr "<emphasis>s</emphasis> för sekunder"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr "<emphasis>m</emphasis> för minuter"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr "<emphasis>h</emphasis> för timmar"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr "<emphasis>d</emphasis> för dagar."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
@@ -21742,17 +21920,17 @@ msgstr ""
 "”1h30m”."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr "Standard: inte satt, d.v.s. TGT:en är inte förnybar"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (sträng)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
@@ -21761,12 +21939,12 @@ msgstr ""
 "en tidsenhet:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr "Om ingen enhet anges antas <emphasis>s</emphasis>."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
@@ -21775,7 +21953,7 @@ msgstr ""
 "livslängden till en och en halv timma, använd ”90m” istället för ”1h30m”."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
@@ -21783,12 +21961,12 @@ msgstr ""
 "n."
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr "krb5_renew_interval (sträng)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -21799,14 +21977,14 @@ msgstr ""
 "heltal omedelbart följt av en tidsenhet:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 "Om detta alternativ inte är satt eller är 0 är den automatiska förnyelsen "
 "avaktiverad."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
@@ -21814,6 +21992,17 @@ msgstr ""
 "Anger om värdens och användarens huvudman skall göras kanonisk.  Denna "
 "funktion är tillgänglig med MIT Kerberos 1.7 och senare versioner."
 
+#~ msgid ""
+#~ "Apply additional checks on the PAC of the Kerberos ticket which is "
+#~ "available in Active Directory and FreeIPA domains, if configured. The "
+#~ "following options can be used alone or in a comma-separated list: "
+#~ "<placeholder type=\"variablelist\" id=\"0\"/>"
+#~ msgstr ""
+#~ "Tillämpa ytterligare kontroller av PAC:en för Kerberos-biljetten vilka är "
+#~ "tillgänglig i domänen Active Direcktory och FreeIPA, om konfigurerade. "
+#~ "Följande alternativ kan användas ensamma eller i en kommaseparerad lista: "
+#~ "<placeholder type=\"variablelist\" id=\"0\"/>"
+
 #~ msgid ""
 #~ "Both a user name and a uid can be used but the user should be a local "
 #~ "one, i.e. accessible via <quote>files</quote> service of "
diff --git a/src/man/po/tg.po b/src/man/po/tg.po
index cba35037a45..729ebd7a92c 100644
--- a/src/man/po/tg.po
+++ b/src/man/po/tg.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2014-12-15 12:10-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/"
@@ -205,10 +205,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Пешфарз: true"
 
@@ -226,12 +226,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Пешфарз: false"
 
@@ -263,8 +263,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -294,7 +294,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Пешфарз: 10"
 
@@ -370,8 +370,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Пешфарз: 3"
 
@@ -392,7 +392,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -412,12 +412,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -425,39 +425,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -595,11 +595,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -865,8 +865,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1013,7 +1013,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1119,7 +1119,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1488,7 +1488,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1514,8 +1514,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Пешфарз: 6"
@@ -1825,7 +1825,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1838,7 +1838,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1852,7 +1852,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Пешфарз: 0"
 
@@ -1915,8 +1915,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -1981,9 +1981,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -1998,7 +1998,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2094,48 +2094,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2253,7 +2253,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2287,7 +2287,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2297,7 +2297,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2317,7 +2317,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2677,25 +2677,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2703,73 +2714,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2779,66 +2788,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2846,17 +2855,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2864,7 +2873,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2873,56 +2882,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2932,12 +2941,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2946,14 +2955,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2962,38 +2971,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3002,24 +3011,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3028,29 +3037,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Пешфарз: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3064,14 +3073,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3080,39 +3089,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3121,19 +3130,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3144,139 +3153,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Пешфарз: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3285,17 +3294,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3307,33 +3316,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3341,19 +3350,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3362,17 +3371,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Пешфарз: 0 (номаҳдуд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3381,28 +3390,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3410,7 +3419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3418,8 +3427,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3428,8 +3437,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3437,19 +3446,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3458,7 +3467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3466,24 +3475,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3495,27 +3504,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3523,7 +3543,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3531,30 +3551,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3562,19 +3582,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3583,7 +3603,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3591,29 +3611,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3621,7 +3641,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3629,35 +3649,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3665,32 +3685,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3701,7 +3721,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3710,12 +3730,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3723,7 +3743,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3731,31 +3751,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3763,7 +3783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3772,17 +3792,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3790,43 +3810,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3834,7 +3854,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3842,7 +3862,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3850,24 +3870,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3875,31 +3895,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3907,7 +3927,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3916,12 +3936,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3931,7 +3951,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3940,29 +3960,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3970,104 +3990,102 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4076,64 +4094,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4141,38 +4159,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4180,49 +4191,104 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+msgid "ldap_offline_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3707
+msgid "ldap_enumeration_refresh_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+msgid "ldap_enumeration_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+msgid "ldap_connection_expire_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+msgid "ldap_connection_expire_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4230,27 +4296,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4260,34 +4326,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4296,19 +4362,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4316,24 +4382,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4342,24 +4408,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4369,14 +4435,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4384,21 +4450,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4406,7 +4472,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4415,7 +4481,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4424,7 +4490,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4432,29 +4498,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4462,12 +4528,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4475,12 +4541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4489,12 +4555,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4502,19 +4568,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4531,7 +4597,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4539,17 +4605,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4558,7 +4624,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4568,7 +4634,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4588,12 +4654,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4604,69 +4670,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4679,7 +4745,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4687,7 +4753,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4696,55 +4762,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4753,17 +4819,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4771,26 +4837,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4799,17 +4865,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4819,7 +4885,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4828,59 +4894,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4889,7 +4955,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4898,7 +4964,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4907,7 +4973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4915,12 +4981,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4950,7 +5016,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4959,7 +5025,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4967,7 +5033,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4978,7 +5044,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -4992,7 +5058,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5055,7 +5121,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5156,7 +5222,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Намунаҳо:"
@@ -5372,12 +5438,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5385,7 +5451,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5394,12 +5460,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5407,7 +5473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5417,7 +5483,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5427,34 +5493,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "Пешфарз: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5462,32 +5528,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5495,7 +5561,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5503,12 +5569,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5516,12 +5582,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5532,12 +5598,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5546,12 +5612,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5560,7 +5626,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5571,36 +5637,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5608,29 +5674,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5638,14 +5704,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5653,17 +5719,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5673,12 +5739,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5686,17 +5752,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5704,12 +5770,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5717,7 +5783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5728,7 +5794,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5737,7 +5803,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5745,12 +5811,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5758,7 +5824,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5766,26 +5832,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5793,7 +5859,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5801,7 +5867,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5809,41 +5875,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5852,32 +5918,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5885,24 +5951,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5910,17 +5976,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5931,24 +5997,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5959,12 +6025,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5977,7 +6043,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -5989,17 +6055,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6007,49 +6073,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Пешфарз: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6057,28 +6123,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6090,7 +6156,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6098,7 +6164,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6106,39 +6172,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6148,7 +6214,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6156,26 +6222,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6184,7 +6250,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6192,31 +6258,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6229,51 +6295,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6282,12 +6348,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6303,12 +6369,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Намуна:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6317,14 +6383,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6333,24 +6399,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6358,19 +6424,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6379,7 +6445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6387,7 +6453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6396,7 +6462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6404,22 +6470,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6429,14 +6495,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6449,12 +6515,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6464,7 +6530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6474,63 +6540,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6539,74 +6605,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6617,7 +6683,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6625,48 +6691,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6683,12 +6749,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6696,43 +6762,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6740,14 +6806,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6757,19 +6823,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6777,7 +6843,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6785,106 +6851,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6893,59 +6959,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6954,22 +7020,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6978,14 +7044,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "НАМУНА"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6993,7 +7059,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7006,27 +7072,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7042,13 +7108,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ЭЗОҲҲО"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8054,7 +8120,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9081,7 +9147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9096,7 +9162,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9111,12 +9177,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9137,12 +9203,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9166,17 +9232,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9184,17 +9250,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9202,7 +9268,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9212,7 +9278,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9229,7 +9295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9242,12 +9308,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9266,60 +9332,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9450,26 +9516,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9488,7 +9554,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10039,39 +10105,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10079,7 +10165,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10087,7 +10173,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10095,19 +10181,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10115,26 +10201,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10143,7 +10229,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10151,12 +10237,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10167,12 +10253,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10181,7 +10267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10190,7 +10276,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10199,14 +10285,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10219,7 +10305,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10228,7 +10314,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10246,24 +10332,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10272,7 +10358,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10281,12 +10367,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10296,7 +10382,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10305,7 +10391,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10314,7 +10400,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10324,21 +10410,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10348,7 +10434,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10363,23 +10449,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10387,22 +10473,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10413,7 +10499,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10421,74 +10507,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10498,12 +10584,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10511,12 +10597,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10532,14 +10618,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10547,7 +10633,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10559,42 +10645,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10610,7 +10696,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10618,7 +10704,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10626,7 +10712,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10638,22 +10724,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10669,7 +10755,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10677,7 +10763,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10685,7 +10771,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10697,22 +10783,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10727,14 +10813,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10742,7 +10828,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10754,23 +10840,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10786,14 +10872,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10801,7 +10887,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10812,19 +10898,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10832,7 +10918,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10844,29 +10930,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10874,12 +10960,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10892,57 +10978,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10950,17 +11036,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -10970,17 +11056,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -10989,12 +11075,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11005,12 +11091,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11021,7 +11107,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11036,7 +11122,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11048,7 +11134,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11059,19 +11145,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11081,7 +11167,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11089,7 +11175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11104,7 +11190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11113,7 +11199,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11121,7 +11207,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11131,7 +11217,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16793,32 +16879,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17489,96 +17586,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17586,12 +17698,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
diff --git a/src/man/po/uk.po b/src/man/po/uk.po
index 71219b33a64..8c15b578738 100644
--- a/src/man/po/uk.po
+++ b/src/man/po/uk.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2022-09-04 11:19+0000\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/sssd/"
@@ -24,8 +24,8 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
-"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
+"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
+"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
 "X-Generator: Weblate 4.14\n"
 
 #. type: Content of: <reference><title>
@@ -260,10 +260,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr "Типове значення: true"
 
@@ -284,12 +284,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr "Типове значення: false"
 
@@ -329,8 +329,8 @@ msgstr ""
 "встановлення цього значення не впливає на інші типи журналювання)."
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -364,7 +364,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr "Типове значення: 10"
 
@@ -457,8 +457,8 @@ msgstr ""
 "визнання подальших спроб безнадійними."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "Типове значення: 3"
 
@@ -486,7 +486,7 @@ msgstr ""
 "використовувати символ «/»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr "re_expression (рядок)"
 
@@ -512,12 +512,12 @@ msgstr ""
 "ДОМЕНІВ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr "full_name_format (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -529,32 +529,32 @@ msgstr ""
 "домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr "ім’я користувача"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr "назва домену у форматі, вказаному у файлі налаштувань SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -563,7 +563,7 @@ msgstr ""
 "Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -749,11 +749,11 @@ msgstr ""
 "default_domain_suffix."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr "Типове значення: not set"
 
@@ -1091,8 +1091,8 @@ msgstr ""
 "різних доменах можуть бути однаковими."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr "Типове значення: не встановлено"
 
@@ -1280,7 +1280,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr "Типове значення: 60"
 
@@ -1405,7 +1405,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr "Типове значення: 300"
 
@@ -1865,7 +1865,7 @@ msgstr ""
 "для запитів passwd. Встановлення розміру 0 вимкне кеш у пам'яті для passwd."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr "Типове значення: 8"
 
@@ -1895,8 +1895,8 @@ msgstr ""
 "для запитів group. Встановлення розміру 0 вимкне кеш у пам'яті для group."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr "Типове значення: 6"
@@ -2271,7 +2271,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 "Показати попередження за вказану кількість днів перед завершенням дії пароля."
@@ -2288,7 +2288,7 @@ msgstr ""
 "попередження."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -2307,7 +2307,7 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> для окремого домену."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Типове значення: 0"
 
@@ -2385,8 +2385,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr "Типове значення: none"
 
@@ -2465,9 +2465,9 @@ msgstr ""
 "розпізнавання, типово таку сертифікацію вимкнено."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr "Типове значення: False"
 
@@ -2482,7 +2482,7 @@ msgid "The path to the certificate database."
 msgstr "Шлях до бази даних сертифікатів."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr "Типове значення:"
 
@@ -2605,49 +2605,49 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 "Типове значення: типовий набір назв служб PAM складається з таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr "login"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr "su"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr "su-l"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr "gdm-smartcard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr "gdm-password"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr "sudo-i"
 
@@ -2795,7 +2795,7 @@ msgid "Default: no_session"
 msgstr "Типове значення: no_session"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr "pam_gssapi_services"
 
@@ -2839,7 +2839,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -2849,7 +2849,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr "Типове значення: - (розпізнавання за GSSAPI вимкнено)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr "pam_gssapi_check_upn"
 
@@ -2875,7 +2875,7 @@ msgstr ""
 "зможуть отримати бажаний квиток служби."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr "Типове значення: True"
@@ -3345,13 +3345,24 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr "pac_check (рядок)"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr "no_check"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
@@ -3360,12 +3371,12 @@ msgstr ""
 "виконано не буде."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr "pac_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -3376,12 +3387,12 @@ msgstr ""
 "зазнає невдачі."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr "check_upn"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
@@ -3390,23 +3401,23 @@ msgstr ""
 "користувача (UPN)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr "upn_dns_info_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 "PAC має містити буфер UPN-DNS-INFO; неявним чином встановлює «check_upn»."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr "check_upn_dns_info_ex"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
@@ -3415,12 +3426,12 @@ msgstr ""
 "узгодженими дані у розширенні."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr "upn_dns_info_ex_present"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
@@ -3429,20 +3440,20 @@ msgstr ""
 "«check_upn_dns_info_ex», «upn_dns_info_present» і «check_upn»."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder "
+#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
-"Застосувати додаткові перевірки щодо PAC квитка Kerberos, який доступний у "
-"доменах Active Directory і FreeIPA, якщо налаштовано. Вказані нижче "
-"параметри може бути застосовано окремо або у форматі списку відокремлених "
-"комами значень: <placeholder type=\"variablelist\" id=\"0\"/>"
+"Передбачено використання таких замінників: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
@@ -3450,12 +3461,12 @@ msgstr ""
 "check_upn_dns_info_ex»)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr "Параметри налаштовування запису сеансів"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -3470,32 +3481,32 @@ msgstr ""
 "session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr "Цими параметрами можна скористатися для налаштовування запису сеансів."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr "scope (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr "\"none\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr "Користувачі не записуються."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr "\"some\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
@@ -3504,17 +3515,17 @@ msgstr ""
 "<replaceable>користувачі</replaceable> і <replaceable>групи</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr "\"all\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr "Усі користувачі записуються."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
@@ -3523,17 +3534,17 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr "Типове значення: none"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr "users (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -3545,17 +3556,17 @@ msgstr ""
 "тощо."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr "Типове значення: порожнє. Не відповідає жодному користувачу."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr "groups (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -3567,7 +3578,7 @@ msgstr ""
 "символів тощо."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -3580,17 +3591,17 @@ msgstr ""
 "належить користувач."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr "Типове значення: порожнє. Не відповідає жодній групі."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr "exclude_users (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
@@ -3599,17 +3610,17 @@ msgstr ""
 "записування. Може бути застосовано лише разом із «scope=all»."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr "Типове значення: порожнє. Не виключати жодного користувача."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr "exclude_groups (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
@@ -3618,22 +3629,22 @@ msgstr ""
 "із записування. Може бути застосовано лише разом із «scope=all»."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr "Типове значення: порожнє. Не виключати жодної групи."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr "РОЗДІЛИ ДОМЕНІВ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr "enabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -3648,12 +3659,12 @@ msgstr ""
 "параметрі доменів у розділі <quote>[sssd]</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr "domain_type (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -3666,7 +3677,7 @@ msgstr ""
 "з доменів POSIX."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
@@ -3675,7 +3686,7 @@ msgstr ""
 "<quote>application</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -3687,7 +3698,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) і відповідача PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
@@ -3696,7 +3707,7 @@ msgstr ""
 "application з <quote>id_provider=ldap</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
@@ -3705,17 +3716,17 @@ msgstr ""
 "ласка, ознайомтеся із розділом <quote>Домени програм</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr "Типове значення: posix"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -3724,7 +3735,7 @@ msgstr ""
 "відповідає цим обмеженням, його буде проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3737,7 +3748,7 @@ msgstr ""
 "основної групи і належать діапазону, буде виведено у звичайному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -3746,17 +3757,17 @@ msgstr ""
 "лише повернення записів за назвою або ідентифікатором."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Типові значення: 1 для min_id, 0 (без обмежень) для max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr "enumerate (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3769,22 +3780,22 @@ msgstr ""
 "мати такі значення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = користувачі і групи нумеруються"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = не використовувати нумерацію для цього домену"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr "Типове значення: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
@@ -3793,7 +3804,7 @@ msgstr ""
 "користувачів і груп із віддаленого сервера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3816,7 +3827,7 @@ msgstr ""
 "<quote>sssd_be</quote> або навіть перезапуску усього засобу стеження."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -3826,7 +3837,7 @@ msgstr ""
 "завершено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3840,7 +3851,7 @@ msgstr ""
 "відповідного використаного засобу обробки ідентифікаторів (id_provider)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -3849,32 +3860,32 @@ msgstr ""
 "об’ємних середовищах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Усі виявлені надійні домени буде пронумеровано"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Нумерація виявлених надійних доменів не виконуватиметься"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3887,12 +3898,12 @@ msgstr ""
 "доменів, для яких буде увімкнено нумерацію."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -3901,7 +3912,7 @@ msgstr ""
 "надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3918,17 +3929,17 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr "Типове значення: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -3937,19 +3948,19 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr "Типове значення: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -3958,12 +3969,12 @@ msgstr ""
 "ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -3972,12 +3983,12 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -3986,12 +3997,12 @@ msgstr ""
 "ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr "entry_cache_resolver_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
@@ -4000,12 +4011,12 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -4014,12 +4025,12 @@ msgstr ""
 "надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -4028,12 +4039,12 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -4043,12 +4054,12 @@ msgstr ""
 "вузла у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr "entry_cache_computer_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
@@ -4057,12 +4068,12 @@ msgstr ""
 "перш ніж надсилати запит до модуля обробки даних знову"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -4072,7 +4083,7 @@ msgstr ""
 "вичерпано або майже вичерпано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -4086,18 +4097,18 @@ msgstr ""
 "запис користувача, і дані щодо участі у групах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr "Цей параметр автоматично успадковується для усіх довірених доменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Варто визначити для цього параметра значення 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -4118,37 +4129,37 @@ msgstr ""
 "чинність наявного кешу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr "Типове значення: 0 (вимкнено)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Визначає, чи слід також кешувати реєстраційні дані користувача у локальному "
 "кеші LDB"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Реєстраційні дані користувача зберігаються у форматі хешу SHA512, а не у "
 "форматі звичайного тексту"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr "cache_credentials_minimal_first_factor_length (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -4160,7 +4171,7 @@ msgstr ""
 "контрольної суми SHA512 у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
@@ -4170,12 +4181,12 @@ msgstr ""
 "мішенню атак із перебиранням паролів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -4188,17 +4199,17 @@ msgstr ""
 "offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr "Типове значення: 0 (без обмежень)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -4211,17 +4222,17 @@ msgstr ""
 "даних розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Типове значення: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr "id_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -4229,12 +4240,12 @@ msgstr ""
 "Серед підтримуваних засобів такі:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr "«proxy»: підтримка застарілого модуля надання даних NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4246,7 +4257,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -4257,8 +4268,8 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -4271,8 +4282,8 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4284,12 +4295,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -4299,7 +4310,7 @@ msgstr ""
 "NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -4312,7 +4323,7 @@ msgstr ""
 "не покаже користувача, а <command>getent passwd test@LOCAL</command> покаже."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -4323,7 +4334,7 @@ msgstr ""
 "груп, якщо задано неповну назву, буде виконано пошук у всіх доменах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
@@ -4332,17 +4343,17 @@ msgstr ""
 "використано default_domain_suffix)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr "Не повертати записи учасників груп для пошуків груп."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -4361,7 +4372,7 @@ msgstr ""
 "$groupname</quote> поверне запитану групу так, наче вона була порожня."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -4371,13 +4382,26 @@ msgstr ""
 "надання доступу для участі у групі, особливо для груп, у яких багато "
 "учасників."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+"Цей параметр також може бути встановлено для окремого піддомену або "
+"успадковано за допомогою <emphasis>subdomain_inherit</emphasis>."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr "auth_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -4386,7 +4410,7 @@ msgstr ""
 "служб розпізнавання:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4398,7 +4422,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4410,18 +4434,18 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльоване розпізнавання у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> — вимкнути розпізнавання повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -4430,12 +4454,12 @@ msgstr ""
 "спосіб встановлено і можлива обробка запитів щодо розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr "access_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -4446,7 +4470,7 @@ msgstr ""
 "Вбудованими програмами є:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -4455,12 +4479,12 @@ msgstr ""
 "доступу для локального домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> — завжди забороняти доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -4473,7 +4497,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -4485,24 +4509,24 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 "<quote>proxy</quote> — для трансляції керування доступом до іншого модуля "
 "PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr "Типове значення: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -4511,7 +4535,7 @@ msgstr ""
 "підтримку таких систем зміни паролів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4523,7 +4547,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4535,18 +4559,18 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> — явно вимкнути можливість зміни пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -4555,19 +4579,19 @@ msgstr ""
 "цього параметра і якщо система здатна обробляти запити щодо паролів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "Служба SUDO, яку використано для цього домену. Серед підтримуваних служб "
 "SUDO:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4579,7 +4603,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -4588,7 +4612,7 @@ msgstr ""
 "параметрами IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -4597,20 +4621,20 @@ msgstr ""
 "параметрами AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> явним чином вимикає SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Типове значення: використовується значення <quote>id_provider</quote>, якщо "
 "його встановлено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -4629,7 +4653,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -4643,12 +4667,12 @@ msgstr ""
 "sudo у SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -4659,7 +4683,7 @@ msgstr ""
 "доступу. Передбачено підтримку таких засобів надання даних SELinux:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4671,14 +4695,14 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> явним чином забороняє отримання даних щодо параметрів "
 "SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -4687,12 +4711,12 @@ msgstr ""
 "спосіб встановлено і можлива обробка запитів щодо завантаження SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -4702,7 +4726,7 @@ msgstr ""
 "підтримку таких засобів надання даних піддоменів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4714,7 +4738,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -4727,17 +4751,17 @@ msgstr ""
 "налаштовування засобу надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> забороняє ячним чином отримання даних піддоменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr "session_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -4749,14 +4773,14 @@ msgstr ""
 "постачальники даних сеансів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 "<quote>ipa</quote>, щоб дозволити пов'язані із сеансами користувачів "
 "завдання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
@@ -4764,7 +4788,7 @@ msgstr ""
 "користувачів завдань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
@@ -4773,7 +4797,7 @@ msgstr ""
 "його встановлено і дозволено виконувати пов'язані із сеансами завдання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
@@ -4783,12 +4807,12 @@ msgstr ""
 "непривілейованого користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -4796,7 +4820,7 @@ msgstr ""
 "autofs:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4808,7 +4832,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4820,7 +4844,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -4832,17 +4856,17 @@ msgstr ""
 "надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> вимикає autofs повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -4851,7 +4875,7 @@ msgstr ""
 "вузла. Серед підтримуваних засобів надання hostid:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -4863,17 +4887,17 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> вимикає hostid повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr "resolver_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
@@ -4882,7 +4906,7 @@ msgstr ""
 "підтримку таких надавачів даних для визначення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
@@ -4891,7 +4915,7 @@ msgstr ""
 "Див. <quote>proxy_resolver_lib_name</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -4903,7 +4927,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -4916,13 +4940,13 @@ msgstr ""
 "налаштовування засобу надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 "<quote>none</quote> забороняє ячним чином отримання даних вузлів і мереж."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -4936,7 +4960,7 @@ msgstr ""
 "IPA та доменів Active Directory, простій назві (NetBIOS) домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -4949,22 +4973,22 @@ msgstr ""
 "різні стилі запису імен користувачів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr "користувач"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr "користувач@назва.домену"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr "домен\\користувач"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -4973,7 +4997,7 @@ msgstr ""
 "того, щоб полегшити інтеграцію користувачів з доменів Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -4984,17 +5008,17 @@ msgstr ""
 "домену — все після цього символу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Типове значення: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -5003,48 +5027,48 @@ msgstr ""
 "під час виконання пошуків у DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr "Передбачено підтримку таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі "
 "спробувати формат IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі "
 "спробувати формат IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr "Типове значення: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr "dns_resolver_server_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
@@ -5053,7 +5077,7 @@ msgstr ""
 "обмінятися даними із сервером DNS, перш ніж пробувати наступний сервер DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
@@ -5061,8 +5085,7 @@ msgstr ""
 "очікування на відгук на луна-імпульс CLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
@@ -5071,22 +5094,26 @@ msgstr ""
 "більше про розв'язування питань, пов'язаних із службами."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr "Типове значення: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr "dns_resolver_op_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
+#, fuzzy
+#| msgid ""
+#| "Defines the amount of time (in seconds) to wait to resolve single DNS "
+#| "query (e.g. resolution of a hostname or an SRV record)  before try next "
+#| "hostname or DNS discovery."
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 "Визначає тривалість (у секундах) періоду, протягом якого програма чекатиме "
 "на завершення виконання окремого запиту DNS (наприклад встановлення назви "
@@ -5094,12 +5121,12 @@ msgstr ""
 "наступного DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -5112,12 +5139,12 @@ msgstr ""
 "роботу у автономному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -5126,54 +5153,54 @@ msgstr ""
 "частину запиту визначення служб DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Типова поведінка: використовувати назву домену з назви вузла комп’ютера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr "override_gid (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr "Замірити значення основного GID на вказане."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 "Враховується регістр. Це значення є некоректним для засобу надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr "Без врахування регістру."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -5185,7 +5212,7 @@ msgstr ""
 "буде переведено у нижній регістр."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
@@ -5194,7 +5221,7 @@ msgstr ""
 "даних IPA, вам доведеться встановити його на боці клієнта і SSSD на сервері."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
@@ -5203,26 +5230,17 @@ msgstr ""
 "значення: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-"Цей параметр також може бути встановлено для окремого піддомену або "
-"успадковано за допомогою <emphasis>subdomain_inherit</emphasis>."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr "Типове значення: True (False для засобу надання даних AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -5234,51 +5252,128 @@ msgstr ""
 "параметрів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
-msgstr "ignore_group_members"
+#: sssd.conf.5.xml:3695
+#, fuzzy
+#| msgid "ldap_search_timeout (integer)"
+msgid "ldap_search_timeout"
+msgstr "ldap_search_timeout (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+#, fuzzy
+#| msgid "ldap_network_timeout (integer)"
+msgid "ldap_network_timeout"
+msgstr "ldap_network_timeout (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+#, fuzzy
+#| msgid "ldap_opt_timeout (integer)"
+msgid "ldap_opt_timeout"
+msgstr "ldap_opt_timeout (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+#, fuzzy
+#| msgid "ldap_connection_idle_timeout"
+msgid "ldap_offline_timeout"
+msgstr "ldap_connection_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3707
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_timeout"
+msgstr "ldap_enumeration_refresh_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3710
+#, fuzzy
+#| msgid "ldap_enumeration_refresh_timeout (integer)"
+msgid "ldap_enumeration_refresh_offset"
+msgstr "ldap_enumeration_refresh_timeout (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+#, fuzzy
+#| msgid "ldap_purge_cache_timeout"
+msgid "ldap_purge_cache_offset"
+msgstr "ldap_purge_cache_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+"ldap_krb5_keytab (значення krb5_keytab буде використано, якщо "
+"ldap_krb5_keytab не встановлено явним чином)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+#, fuzzy
+#| msgid "ldap_krb5_ticket_lifetime (integer)"
+msgid "ldap_krb5_ticket_lifetime"
+msgstr "ldap_krb5_ticket_lifetime (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+#, fuzzy
+#| msgid "ldap_enumeration_search_timeout (integer)"
+msgid "ldap_enumeration_search_timeout"
+msgstr "ldap_enumeration_search_timeout (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+#, fuzzy
+#| msgid "ldap_connection_idle_timeout"
+msgid "ldap_connection_expire_timeout"
+msgstr "ldap_connection_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+#, fuzzy
+#| msgid "ldap_connection_expire_offset (integer)"
+msgid "ldap_connection_expire_offset"
+msgstr "ldap_connection_expire_offset (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr "ldap_connection_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
-msgstr ""
-"ldap_krb5_keytab (значення krb5_keytab буде використано, якщо "
-"ldap_krb5_keytab не встановлено явним чином)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
+msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr "auto_private_groups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr "case_sensitive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -5288,28 +5383,28 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 "Зауваження: цей параметр працює лише для засобів надання даних IPA і AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "спрощена (NetBIOS) назва піддомену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -5324,7 +5419,7 @@ msgstr ""
 "emphasis>.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -5332,17 +5427,17 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Типове значення: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -5350,12 +5445,12 @@ msgstr ""
 "домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr "cached_auth_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -5369,7 +5464,7 @@ msgstr ""
 "розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
@@ -5379,12 +5474,12 @@ msgstr ""
 "значення для різних довірених доменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr "Спеціальне значення 0 означає, що цю можливість вимкнено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -5395,17 +5490,17 @@ msgstr ""
 "обробки <quote>initgroups</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr "auto_private_groups (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr "true"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
@@ -5414,7 +5509,7 @@ msgstr ""
 "користувача. У цьому випадку номер GID буде проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -5427,12 +5522,12 @@ msgstr ""
 "примусово встановлює унікальність записів у просторі ідентифікаторів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr "false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
@@ -5441,12 +5536,12 @@ msgstr ""
 "вказувати на об'єкт групи у базі даних LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr "hybrid"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -5461,7 +5556,7 @@ msgstr ""
 "цього користувача визначатиме цей об'єкт групи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
@@ -5470,7 +5565,7 @@ msgstr ""
 "групи, інакше надійне визначення GID буде просто неможливим."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -5481,7 +5576,7 @@ msgstr ""
 "збереженням наявних приватних груп для користувачів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -5490,7 +5585,7 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
@@ -5500,7 +5595,7 @@ msgstr ""
 "використовується автоматична прив'язка до ідентифікаторів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -5510,7 +5605,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -5522,7 +5617,7 @@ msgstr ""
 "auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -5536,7 +5631,7 @@ msgstr ""
 "subdomain_inherit: <placeholder type=\"programlisting\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -5547,17 +5642,17 @@ msgstr ""
 "quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr "Комп’ютер, для якого виконує проксі-сервер PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -5566,12 +5661,12 @@ msgstr ""
 "налаштуваннями pam або створити нові і тут додати назву служби."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -5582,12 +5677,12 @@ msgstr ""
 "наприклад _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr "proxy_resolver_lib_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -5598,12 +5693,12 @@ msgstr ""
 "_nss_$(назва_бібліотеки)_$(функція), наприклад _nss_dns_gethostbyname2_r."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -5618,12 +5713,12 @@ msgstr ""
 "у кеші, щоб пришвидшити надання результатів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr "proxy_max_children (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -5635,7 +5730,7 @@ msgstr ""
 "використання черги запитів."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -5644,12 +5739,12 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr "Домени програм (application)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -5677,7 +5772,7 @@ msgstr ""
 "який може успадковувати параметр з традиційного домену SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -5688,17 +5783,17 @@ msgstr ""
 "його доменом-близнюком у POSIX має бути встановлено належним чином."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr "Параметри доменів програм"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr "inherit_from (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -5710,7 +5805,7 @@ msgstr ""
 "розширюють або перевизначають параметри домену-<quote>близнюка</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -5725,7 +5820,7 @@ msgstr ""
 "у кеші і робить атрибут phone доступним через інтерфейс D-Bus."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -5759,12 +5854,12 @@ msgstr ""
 "ldap_user_extra_attrs = phone:telephoneNumber\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr "РОЗДІЛ ДОВІРЕНИХ ДОМЕНІВ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -5782,57 +5877,57 @@ msgstr ""
 "такі параметри:"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr "ldap_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr "ldap_user_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr "ldap_group_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr "ldap_netgroup_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr "ldap_service_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr "ldap_sasl_mech,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr "ad_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr "ad_backup_server,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr "ad_site,"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr "use_fully_qualified_names"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
@@ -5841,12 +5936,12 @@ msgstr ""
 "підручника."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr "РОЗДІЛ ПРИВ'ЯЗКИ СЕРТИФІКАТІВ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -5869,7 +5964,7 @@ msgstr ""
 "використовують для розпізнавання PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -5881,7 +5976,7 @@ msgstr ""
 "citerefentry>)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -5894,12 +5989,12 @@ msgstr ""
 "replaceable>]</quote>. У цьому розділі можна використовувати такі параметри:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr "matchrule (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
@@ -5908,7 +6003,7 @@ msgstr ""
 "цьому правилу. Усі інші сертифікати буде проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
@@ -5918,17 +6013,17 @@ msgstr ""
 "<quote>clientAuth</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr "maprule (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr "Визначає спосіб пошуку користувача для вказаного сертифіката."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
@@ -5937,7 +6032,7 @@ msgstr ""
 "даних, зокрема <quote>ldap</quote>, <quote>AD</quote> та <quote>ipa</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
@@ -5946,12 +6041,12 @@ msgstr ""
 "запис користувача і такою самою назвою."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr "domains (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -5964,17 +6059,17 @@ msgstr ""
 "параметр можна використати і для додавання правила до піддоменів."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr "Типове значення: домен, який налаштовано у sssd.conf"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr "priority (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -5985,12 +6080,12 @@ msgstr ""
 "пріоритетність, а <quote>4294967295</quote> — найнижча."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr "Типове значення: найнижча пріоритетність"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
@@ -6000,7 +6095,7 @@ msgstr ""
 "спеціальних властивостей:"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
@@ -6009,7 +6104,7 @@ msgstr ""
 "відповідного облікового запису користувача"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -6022,17 +6117,17 @@ msgstr ""
 "quote> або <quote>({назва_об'єкта_rfc822.коротка_назва})</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr "параметр <quote>domains</quote> буде проігноровано"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr "РОЗДІЛ НАЛАШТОВУВАННЯ ЗАПИТІВ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -6048,7 +6143,7 @@ msgstr ""
 "реєстраційних даних."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -6062,22 +6157,22 @@ msgstr ""
 "випадках мають забезпечити описані нижче параметри."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr "[prompting/password]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr "password_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr "для зміни рядка запиту пароля"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
@@ -6086,37 +6181,37 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr "[prompting/2fa]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr "first_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr "для зміни рядка запиту для першого фактора"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr "second_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr "для зміни рядка запиту для другого фактора"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr "single_prompt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -6129,7 +6224,7 @@ msgstr ""
 "якщо другий фактор не є обов'язковим."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -6142,7 +6237,7 @@ msgstr ""
 "паролем, або за двома факторами, має бути використано двокроковий запит."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -6155,7 +6250,7 @@ msgstr ""
 "type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -6166,12 +6261,12 @@ msgstr ""
 "для цієї служби."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr "ПРИКЛАДИ"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -6225,7 +6320,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -6238,7 +6333,7 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -6248,7 +6343,7 @@ msgstr ""
 "use_fully_qualified_names = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -6265,7 +6360,7 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -6287,7 +6382,7 @@ msgstr ""
 "matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -6373,7 +6468,7 @@ msgstr ""
 "більше про використання LDAP, як засобу керування доступом."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -6494,7 +6589,7 @@ msgstr ""
 "специфікації http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr "Приклади:"
@@ -6752,12 +6847,12 @@ msgstr ""
 "свого кешу нумерованих записів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -6768,7 +6863,7 @@ msgstr ""
 "цих записів з метою економії місця."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -6782,12 +6877,12 @@ msgstr ""
 "кожні 3 години."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -6799,7 +6894,7 @@ msgstr ""
 "параметра буде проігноровано, якщо використано схему RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -6815,7 +6910,7 @@ msgstr ""
 "початкового пошуку, якщо запити щодо пошуку надходять повторно."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -6831,12 +6926,12 @@ msgstr ""
 "обмеження вкладеності у групах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr "Типове значення: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -6846,23 +6941,23 @@ msgstr ""
 "Directory Server 2008 та новіших версій."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr "Типове значення: True для AD і IPA, інакше False."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr "ldap_host_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "Необов’язковий. Використати вказаний рядок як основу пошуку об’єктів вузлів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -6872,32 +6967,32 @@ msgstr ""
 "налаштування декількох основ пошуку."
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Типове значення: значення <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr "ldap_iphost_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr "ldap_ipnetwork_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -6908,7 +7003,7 @@ msgstr ""
 "автономного режиму роботи)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -6919,12 +7014,12 @@ msgstr ""
 "окремих типів пошуків."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -6935,12 +7030,12 @@ msgstr ""
 "кешованих даних (і переходом до автономного режиму роботи)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -6957,12 +7052,12 @@ msgstr ""
 "citerefentry> повертається до стану бездіяльності."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -6976,12 +7071,12 @@ msgstr ""
 "розширеної операції зі зміни пароля та дії StartTLS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -6995,7 +7090,7 @@ msgstr ""
 "дії TGT)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -7013,7 +7108,7 @@ msgstr ""
 "<emphasis>ldap_connection_expire_timeout &lt;= ldap_opt_timout</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
@@ -7022,17 +7117,17 @@ msgstr ""
 "параметром <emphasis>ldap_connection_expire_offset</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr "Типове значення: 900 (15 хвилин)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr "ldap_connection_expire_offset (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
@@ -7041,12 +7136,12 @@ msgstr ""
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr "ldap_connection_idle_timeout (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -7057,17 +7152,17 @@ msgstr ""
 "бездіяльним понад цей час, з'єднання буде розірвано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr "Ви можете вимкнути цей час очікування, встановивши значення 0."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -7077,12 +7172,12 @@ msgstr ""
 "один запит."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -7093,7 +7188,7 @@ msgstr ""
 "RootDSE, але цю підтримку не увімкнено або вона не працює належним чином."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -7103,7 +7198,7 @@ msgstr ""
 "підтримкою не можна скористатися."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -7114,17 +7209,17 @@ msgstr ""
 "це може призвести до відмови у виконанні запитів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr "Вимкнути отримання діапазону Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -7140,12 +7235,12 @@ msgstr ""
 "буде представлено як такі, у яких немає учасників."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -7156,19 +7251,19 @@ msgstr ""
 "параметра визначається OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Типове значення: типове для системи значення (зазвичай, визначається у ldap."
 "conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr "ldap_sasl_maxssf (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -7179,12 +7274,12 @@ msgstr ""
 "цього параметра визначається OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -7196,7 +7291,7 @@ msgstr ""
 "виконуватиметься окремо."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -7214,7 +7309,7 @@ msgstr ""
 "rootDSE."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -7227,7 +7322,7 @@ msgstr ""
 "OpenLDAP та Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -7238,12 +7333,12 @@ msgstr ""
 "незалежно від використання цього параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr "ldap_ignore_unreadable_references (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -7255,7 +7350,7 @@ msgstr ""
 "простого ігнорування непридатного до читання запису."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -7267,12 +7362,12 @@ msgstr ""
 "міркувань безпеки."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -7282,7 +7377,7 @@ msgstr ""
 "таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -7291,7 +7386,7 @@ msgstr ""
 "жодних сертифікатів сервера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7303,7 +7398,7 @@ msgstr ""
 "режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -7314,7 +7409,7 @@ msgstr ""
 "надано помилковий сертифікат, негайно перервати сеанс."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -7325,22 +7420,22 @@ msgstr ""
 "перервати сеанс."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = те саме, що і <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr "Типове значення: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -7349,7 +7444,7 @@ msgstr ""
 "розпізнаються <command>sssd</command>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -7358,12 +7453,12 @@ msgstr ""
 "у <filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -7376,32 +7471,32 @@ msgstr ""
 "<command>cacertdir_rehash</command>, якщо ця програма є доступною."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "Визначає файл, який містить сертифікат для ключа клієнта."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr "Визначає файл, у якому міститься ключ клієнта."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -7413,12 +7508,12 @@ msgstr ""
 "<manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
@@ -7427,12 +7522,12 @@ msgstr ""
 "class=\"protocol\">tls</systemitem> для захисту каналу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -7444,19 +7539,19 @@ msgstr ""
 "ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "У поточній версії у цій можливості передбачено підтримку лише встановлення "
 "відповідності objectSID у ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr "ldap_min_id, ldap_max_id (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -7476,18 +7571,18 @@ msgstr ""
 "ідентифікаторів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 "Типове значення: не встановлено (обидва параметри встановлено у значення 0)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
@@ -7496,7 +7591,7 @@ msgstr ""
 "перевірено і передбачено підтримку лише механізмів GSSAPI та GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -7514,12 +7609,12 @@ msgstr ""
 "manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -7539,7 +7634,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -7560,17 +7655,17 @@ msgstr ""
 "таблиці ключів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr "Типове значення: вузол/назва_вузла@ОБЛАСТЬ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -7582,17 +7677,17 @@ msgstr ""
 "проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr "Типове значення: значення krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -7602,36 +7697,36 @@ msgstr ""
 "SASL."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr "Типове значення: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 "Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI/GSS-"
 "SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Типове значення: системна таблиця ключів, зазвичай <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -7642,12 +7737,12 @@ msgstr ""
 "механізм GSSAPI або GSS-SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
@@ -7655,17 +7750,17 @@ msgstr ""
 "SPNEGO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr "Типове значення: 86400 (24 години)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -7684,7 +7779,7 @@ msgstr ""
 "про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -7696,7 +7791,7 @@ msgstr ""
 "вдасться знайти."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -7707,30 +7802,30 @@ msgstr ""
 "варто перейти на використання «krb5_server» у файлах налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 "Вказати область Kerberos (для розпізнавання за SASL/GSSAPI/GSS-SPNEGO)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Типове значення: типове значення системи, див. <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -7740,12 +7835,12 @@ msgstr ""
 "версії MIT Kerberos >= 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -7760,7 +7855,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -7771,12 +7866,12 @@ msgstr ""
 "manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -7785,7 +7880,7 @@ msgstr ""
 "використовувати такі значення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -7794,7 +7889,7 @@ msgstr ""
 "разі використання цього варіанта перевірку на боці сервера вимкнено не буде."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -7802,12 +7897,11 @@ msgid ""
 "\"ldap_chpass_update_last_change\" as well."
 msgstr ""
 "<emphasis>shadow</emphasis> — використовувати атрибути у стилі "
-"<citerefentry><refentrytitle>shadow</refentrytitle> "
-"<manvolnum>5</manvolnum></citerefentry> для визначення того, чи чинним є "
-"пароль."
+"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> для визначення того, чи чинним є пароль."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -7818,7 +7912,7 @@ msgstr ""
 "скористайтеся chpass_provider=krb5 для оновлення цих атрибутів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -7828,18 +7922,18 @@ msgstr ""
 "встановленими за допомогою цього параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 "Визначає, чи має бути увімкнено автоматичне визначення напрямків пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -7848,7 +7942,7 @@ msgstr ""
 "з версією OpenLDAP 2.4.13 або новішою версією."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -7870,28 +7964,28 @@ msgstr ""
 "дані виявляться недоступними."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Визначає назву служби, яку буде використано у разі вмикання визначення служб."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr "Типове значення: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -7900,17 +7994,17 @@ msgstr ""
 "уможливлює зміну паролів, у разі вмикання визначення служб."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -7919,7 +8013,7 @@ msgstr ""
 "щодо кількості днів з часу виконання дії зі зміни пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -7932,12 +8026,12 @@ msgstr ""
 "окремо."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -7966,12 +8060,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr "Приклад:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -7983,7 +8077,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -7992,7 +8086,7 @@ msgstr ""
 "employeeType встановлено у значення «admin»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -8006,17 +8100,17 @@ msgstr ""
 "таких прав не було надано, у автономному режимі їх також не буде надано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr "Типове значення: порожній рядок"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -8025,7 +8119,7 @@ msgstr ""
 "керування доступом на боці клієнта."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -8036,12 +8130,12 @@ msgstr ""
 "з відповідним кодом помилки, навіть якщо вказано правильний пароль."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr "Можна використовувати такі значення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -8050,7 +8144,7 @@ msgstr ""
 "визначити, чи завершено строк дії облікового запису."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -8063,7 +8157,7 @@ msgstr ""
 "Також буде перевірено, чи не вичерпано строк дії облікового запису."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -8074,7 +8168,7 @@ msgstr ""
 "ldap_ns_account_lock."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -8087,7 +8181,7 @@ msgstr ""
 "атрибутів, надати доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -8098,24 +8192,24 @@ msgstr ""
 "користуватися параметром ldap_account_expire_policy."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Список відокремлених комами параметрів керування доступом. Можливі значення "
 "списку:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: використовувати ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -8130,7 +8224,7 @@ msgstr ""
 "для працездатності цієї можливості слід встановити «access_provider = ldap»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
@@ -8140,7 +8234,7 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -8163,13 +8257,13 @@ msgstr ""
 "параметра слід встановити значення «access_provider = ldap»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 "<emphasis>expire</emphasis>: використовувати ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -8184,7 +8278,7 @@ msgstr ""
 "наприклад на ключах SSH."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -8199,7 +8293,7 @@ msgstr ""
 "негайно змінити пароль."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
@@ -8207,7 +8301,7 @@ msgstr ""
 "від SSSD не надходитиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
@@ -8217,7 +8311,7 @@ msgstr ""
 "параметра «ldap_pwd_policy» відповідні правила поводження із паролями."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -8226,14 +8320,14 @@ msgstr ""
 "можливості доступу атрибут authorizedService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: за допомогою цього атрибута вузла можна визначити "
 "права доступу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
@@ -8242,7 +8336,7 @@ msgstr ""
 "того, чи матиме віддалений вузол доступ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
@@ -8252,12 +8346,12 @@ msgstr ""
 "керування доступом."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr "Типове значення: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -8266,12 +8360,12 @@ msgstr ""
 "використано декілька разів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -8285,22 +8379,22 @@ msgstr ""
 "можна буде перевірити належним чином."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Приклад: cn=ppolicy,ou=policies,dc=example,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr "Типове значення: cn=ppolicy,ou=policies,$ldap_search_base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -8309,13 +8403,13 @@ msgstr ""
 "пошуку. Можливі такі варіанти:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 "<emphasis>never</emphasis>: ніколи не виконувати розіменування псевдонімів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -8325,7 +8419,7 @@ msgstr ""
 "пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -8334,7 +8428,7 @@ msgstr ""
 "під час визначення місця основного об’єкта пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -8343,7 +8437,7 @@ msgstr ""
 "час пошуку, так і під час визначення місця основного об’єкта пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -8352,12 +8446,12 @@ msgstr ""
 "сценарієм <emphasis>never</emphasis>)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -8366,7 +8460,7 @@ msgstr ""
 "серверів, у яких використовується схема RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -8384,7 +8478,7 @@ msgstr ""
 "користувачів за допомогою виклику getpw*() або initgroups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -8396,12 +8490,12 @@ msgstr ""
 "групами LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr "wildcard_limit (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
@@ -8410,24 +8504,24 @@ msgstr ""
 "пошуку з використанням символів-замінників."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 "У поточній версії пошук із використанням символів-замінників передбачено "
 "лише для відповідача InfoPipe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr "Типове значення: 1000 (часто розмір однієї сторінки)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr "ldap_library_debug_level (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
@@ -8436,7 +8530,7 @@ msgstr ""
 "libldap буде записано незалежно від загального debug_level."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
@@ -8445,7 +8539,7 @@ msgstr ""
 "компонентів, -1 увімкне повне виведення діагностичних даних."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr "Типове значення: 0 (діагностику libldap вимкнено)"
 
@@ -8470,12 +8564,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr "ПАРАМЕТРИ SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -8486,12 +8580,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -8501,7 +8595,7 @@ msgstr ""
 "набір правил, що зберігаються на сервері."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -8510,7 +8604,7 @@ msgstr ""
 "<emphasis>ldap_sudo_smart_refresh_interval </emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
@@ -8520,17 +8614,17 @@ msgstr ""
 "оновлення."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr "Типове значення: 21600 (6 годин)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -8541,7 +8635,7 @@ msgstr ""
 "правил, USN яких перевищує найбільше значення сервера USN, яке відоме SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -8550,7 +8644,7 @@ msgstr ""
 "дані атрибута modifyTimestamp."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -8566,7 +8660,7 @@ msgstr ""
 "emphasis>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
@@ -8576,12 +8670,12 @@ msgstr ""
 "оновлення."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr "ldap_sudo_random_offset (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -8592,7 +8686,7 @@ msgstr ""
 "регулярного завдання. Значення у секундах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -8603,17 +8697,17 @@ msgstr ""
 "час, протягом якого правила sudo є недоступними для використання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr "Ви можете вимкнути цей зсув, встановивши значення 0."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -8623,12 +8717,12 @@ msgstr ""
 "назв вузлів)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -8637,7 +8731,7 @@ msgstr ""
 "фільтрування списку правил."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -8646,8 +8740,8 @@ msgstr ""
 "назву вузла та повну назву комп’ютера у домені у автоматичному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -8656,17 +8750,17 @@ msgstr ""
 "<emphasis>false</emphasis>, цей параметр ні на що не впливатиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr "Типове значення: не вказано"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -8675,7 +8769,7 @@ msgstr ""
 "правил."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -8684,12 +8778,12 @@ msgstr ""
 "адресу у автоматичному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -8698,12 +8792,12 @@ msgstr ""
 "мережеву групу (netgroup) у атрибуті sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -8712,7 +8806,7 @@ msgstr ""
 "заміни у атрибуті sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
@@ -8721,7 +8815,7 @@ msgstr ""
 "для сервера LDAP!"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -8734,12 +8828,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr "ПАРАМЕТРИ AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
@@ -8748,47 +8842,47 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr "Назва основної карти автоматичного монтування у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr "Типове значення: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr "ДОДАТКОВІ ПАРАМЕТРИ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -8801,22 +8895,22 @@ msgstr ""
 "груп показуються неправильно."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -8829,14 +8923,14 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr "ПРИКЛАД"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -8847,7 +8941,7 @@ msgstr ""
 "<replaceable>[domains]</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8867,20 +8961,20 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr "ПРИКЛАД ФІЛЬТРА ДОСТУПУ LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
@@ -8889,7 +8983,7 @@ msgstr ""
 "чином і використано ldap_access_order=lockout."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -8915,13 +9009,13 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ЗАУВАЖЕННЯ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -10215,7 +10309,7 @@ msgstr ""
 "обробляються."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -11478,7 +11572,7 @@ msgstr ""
 "цього вузла. Назву вузла слід вказувати повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (булеве значення)"
 
@@ -11498,7 +11592,7 @@ msgstr ""
 "допомогою параметра «dyndns_iface»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -11519,12 +11613,12 @@ msgstr ""
 "назву, <emphasis>dyndns_update</emphasis>, у файлі налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -11551,12 +11645,12 @@ msgid "Default: 1200 (seconds)"
 msgstr "Типове значення: 1200 (секунд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -11589,17 +11683,17 @@ msgstr ""
 "для з’єднання LDAP IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr "Приклад: dyndns_iface = em1, vnet1, vnet2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr "dyndns_auth (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -11610,17 +11704,17 @@ msgstr ""
 "можна надсилати встановленням для цього параметра значення «none»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr "Типове значення: GSS-TSIG"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr "dyndns_auth_ptr (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -11631,7 +11725,7 @@ msgstr ""
 "оновлення можна надсилати встановленням для цього параметра значення «none»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr "Типове значення: те саме, що і dyndns_auth"
 
@@ -11641,7 +11735,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr "Вмикає сайти DNS — визначення служб на основі адрес."
 
@@ -11666,7 +11760,7 @@ msgstr ""
 "вважатимуться резервними серверами."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (ціле число)"
 
@@ -11683,12 +11777,12 @@ msgstr ""
 "є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -11712,12 +11806,12 @@ msgid "Default: False (disabled)"
 msgstr "Типове значення: False (вимкнено)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -11726,17 +11820,17 @@ msgstr ""
 "даними з сервером DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Типове значення: False (надати змогу nsupdate вибирати протокол)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr "dyndns_server (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
@@ -11746,7 +11840,7 @@ msgstr ""
 "параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
@@ -11755,7 +11849,7 @@ msgstr ""
 "DNS відрізняється від сервера профілів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
@@ -11765,17 +11859,17 @@ msgstr ""
 "невдало."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr "Типове значення: немає (надати nsupdate змогу вибирати сервер)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr "dyndns_update_per_family (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -11927,12 +12021,12 @@ msgstr ""
 "перетворено у основний DN для виконання дій LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
@@ -11941,7 +12035,7 @@ msgstr ""
 "налаштувань Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
@@ -11950,7 +12044,7 @@ msgstr ""
 "значення «none»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -11975,7 +12069,7 @@ msgstr ""
 "щодо профілів станції."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr "Типове значення: 5 (секунд)"
 
@@ -12665,13 +12759,47 @@ msgstr ""
 "модулі надання даних AD завжди обробляються із врахуванням регістру символів "
 "для забезпечення сумісності з реалізацією Active Directory у LDAP."
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+#, fuzzy
+#| msgid ""
+#| "If this option is set to <quote>true</quote> SSSD will not filter out "
+#| "Domain Local groups from remote domains in the AD forest. By default they "
+#| "are filtered out e.g. when following a nested group hierarchy in remote "
+#| "domains because they are not valid in the local domain. To be compatible "
+#| "with other solutions which make AD users and groups available on Linux "
+#| "client this option was added."
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+"Якщо для цього параметра встановлено значення <quote>true</quote>, SSSD не "
+"відфільтровуватиме локальні для домену групи від віддалених доменів у лісі "
+"AD. Типово, групи буде відфільтровано, наприклад при слідуванні за вкладеною "
+"ієрархією груп у віддалених доменах, оскільки вони не є чинними у локальних "
+"доменах. Цей параметр було додано для сумісності із іншими рішеннями, які "
+"роблять користувачів і групи AD доступними у клієнті Linux."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr "ad_domain (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -12680,7 +12808,7 @@ msgstr ""
 "буде використано назву домену з налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -12689,7 +12817,7 @@ msgstr ""
 "малими літерами повної версії назви домену Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -12698,12 +12826,12 @@ msgstr ""
 "автоматично визначається засобами SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr "ad_enabled_domains (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -12715,7 +12843,7 @@ msgstr ""
 "домени з лісу AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -12725,7 +12853,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -12736,7 +12864,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
@@ -12745,12 +12873,12 @@ msgstr ""
 "автоматично визначається засобами SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -12762,7 +12890,7 @@ msgstr ""
 "quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
@@ -12772,7 +12900,7 @@ msgstr ""
 "«ПОШУК СЛУЖБ»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
@@ -12781,12 +12909,12 @@ msgstr ""
 "якщо основний сервер явним чином визначено у параметрі ad_server."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -12799,7 +12927,7 @@ msgstr ""
 "параметра явним чином."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -12810,12 +12938,12 @@ msgstr ""
 "збігатися із назвою вузла, для якого випущено таблицю ключів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -12833,12 +12961,12 @@ msgstr ""
 "сайтів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -12851,7 +12979,7 @@ msgstr ""
 "значення «ad», щоб цей параметр почав діяти."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -12864,7 +12992,7 @@ msgstr ""
 "«FOREST» або ключове слово слід пропустити."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -12877,7 +13005,7 @@ msgstr ""
 "вказаного значенням «НАЗВА»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
@@ -12886,7 +13014,7 @@ msgstr ""
 "визначення фільтрів у базах для пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -12908,7 +13036,7 @@ msgstr ""
 "відповідності у LDAP</ulink>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -12922,7 +13050,7 @@ msgstr ""
 "специфікацією, використовуватиметься лише перший з них."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -12952,12 +13080,12 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr "ad_site (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
@@ -12966,12 +13094,12 @@ msgstr ""
 "вказано, виконуватиметься спроба автоматичного визначення сайта AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -12985,7 +13113,7 @@ msgstr ""
 "SSSD встановлюватиме зв’язок лише з портом LDAP поточного сервера AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -13000,12 +13128,12 @@ msgstr ""
 "групах для різних доменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -13020,7 +13148,7 @@ msgstr ""
 "«access_provider» значення «ad»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -13034,7 +13162,7 @@ msgstr ""
 "<quote>ad_gpo_map</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -13048,7 +13176,7 @@ msgstr ""
 "вадами https://pagure.io/SSSD/sssd/issue/5063 ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -13063,7 +13191,7 @@ msgstr ""
 "з груп, до яких він належить, повинен мати такі права доступу до GPO:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
@@ -13072,7 +13200,7 @@ msgstr ""
 "властивостей GPO (RIGHT_DS_READ_PROPERTY)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
@@ -13081,7 +13209,7 @@ msgstr ""
 "доступ до застосування GPO (RIGHT_DS_CONTROL_ACCESS)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -13096,7 +13224,7 @@ msgstr ""
 "доступу групи Authenticated Users щодо GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -13124,12 +13252,12 @@ msgstr ""
 "manvolnum> </citerefentry>)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr "У цього параметра є три підтримуваних значення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
@@ -13137,14 +13265,14 @@ msgstr ""
 "використовуються примусово."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 "enforcing: правила керування доступом, засновані на GPO, обробляються і "
 "використовуються примусово."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -13157,22 +13285,22 @@ msgstr ""
 "enforcing."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr "Типове значення: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr "Типове значення: enforcing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr "ad_gpo_implicit_deny (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -13191,7 +13319,7 @@ msgstr ""
 "Administrators, якщо немає правил GPO, якими надається такий доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -13203,75 +13331,75 @@ msgstr ""
 "ad_gpo_implicit_deny."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr "ad_gpo_implicit_deny = False (типове значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr "allow-rules"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr "deny-rules"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr "результати"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr "missing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr "дозволені усі користувачі"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr "present"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr "дозволені лише користувачі, яких немає у deny-rules"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr "дозволені лише користувачі, які є у allow-rules"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 "дозволені лише користувачі, які є в allow-rules і яких немає у deny-rules"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr "ad_gpo_implicit_deny = True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr "заборонено усіх користувачів"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr "ad_gpo_ignore_unreadable (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -13286,12 +13414,12 @@ msgstr ""
 "правил груп є непридатним до читання з SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -13302,12 +13430,12 @@ msgstr ""
 "короткого періоду часу надходить багато запитів щодо керування доступом."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -13336,7 +13464,7 @@ msgstr ""
 "правила."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
@@ -13346,7 +13474,7 @@ msgstr ""
 "вхід» («Deny log on locally»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -13356,7 +13484,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13375,42 +13503,42 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr "gdm-fingerprint"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr "lightdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr "lxdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr "sddm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr "unity"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr "xdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -13439,7 +13567,7 @@ msgstr ""
 "одна з його груп є частиною параметрів правила."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -13451,7 +13579,7 @@ msgstr ""
 "служб віддаленої стільниці» («Deny log on through Remote Desktop Services»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -13461,7 +13589,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13480,22 +13608,22 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr "sshd"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr "cockpit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -13524,7 +13652,7 @@ msgstr ""
 "правила."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -13536,7 +13664,7 @@ msgstr ""
 "мережі» (Deny access to this computer from the network»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -13546,7 +13674,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13565,22 +13693,22 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr "ftp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr "samba"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -13608,7 +13736,7 @@ msgstr ""
 "правила."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
@@ -13618,7 +13746,7 @@ msgstr ""
 "job») і «Заборонити вхід як пакетне завдання» («Deny log on as a batch job»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -13628,7 +13756,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13647,24 +13775,24 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 "Зауваження: назва служби cron у різних дистрибутивах Linux може бути різною."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr "crond"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -13693,7 +13821,7 @@ msgstr ""
 "принаймні одна з його груп є частиною параметрів правила."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
@@ -13703,7 +13831,7 @@ msgstr ""
 "«Заборонити вхід як службу» («Deny log on as a service»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -13713,7 +13841,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -13730,12 +13858,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
@@ -13744,7 +13872,7 @@ msgstr ""
 "основі GPO, незалежно від будь-яких прав входу GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -13754,7 +13882,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -13773,22 +13901,22 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr "polkit-1"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr "systemd-user"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
@@ -13797,7 +13925,7 @@ msgstr ""
 "на основі GPO, незалежно від будь-яких прав входу GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -13807,12 +13935,12 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -13834,57 +13962,57 @@ msgstr ""
 "забороняла доступ для непов’язаних назв служб PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr "Передбачені значення для цього параметра:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr "interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr "remote_interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr "network"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr "batch"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr "service"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr "permit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr "deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr "Типове значення: deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr "ad_maximum_machine_account_password_age (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -13895,17 +14023,17 @@ msgstr ""
 "Значення 0 вимкне спроби оновлення."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr "Типове значення: 30 днів"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr "ad_machine_account_password_renewal_opts (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -13920,17 +14048,17 @@ msgstr ""
 "— визначає початковий час очікування на перший запуск завдання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Типове значення: 86400:750 (24 годин і 15 хвилин)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr "ad_update_samba_machine_account_password (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -13943,12 +14071,12 @@ msgstr ""
 "налаштовано на використання AD для розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr "ad_use_ldaps (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -13966,12 +14094,12 @@ msgstr ""
 "з'єднань буде встановлено у значення 0 (нуль)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr "ad_allow_remote_domain_local_groups (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -13988,7 +14116,7 @@ msgstr ""
 "роблять користувачів і групи AD доступними у клієнті Linux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -14012,7 +14140,7 @@ msgstr ""
 "запитах tokenGroups, де також немає віддалених груп локальних доменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -14032,7 +14160,7 @@ msgstr ""
 "локальні групи домену може бути знайдено лише на глибшому рівні вкладеності."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -14049,12 +14177,12 @@ msgstr ""
 "якщо цю адресу не було змінено за допомогою параметра «dyndns_iface»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr "Типове значення: 3600 (секунд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
@@ -14063,7 +14191,7 @@ msgstr ""
 "для з’єднання LDAP AD"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -14080,7 +14208,7 @@ msgstr ""
 "значення."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -14091,7 +14219,7 @@ msgstr ""
 "У прикладі продемонстровано лише параметри доступу, специфічні для засобу AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -14115,7 +14243,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -14127,7 +14255,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -14139,7 +14267,7 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -14154,7 +14282,7 @@ msgstr ""
 "шифрування) вручну."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -21228,16 +21356,30 @@ msgstr "Авторська служба сертифікації (Creator Author
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
+#, fuzzy
+#| msgid "Creator Authority"
+msgid "Mandatory Label Authority"
+msgstr "Авторська служба сертифікації (Creator Authority)"
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:295
+#, fuzzy
+#| msgid "Authentication failure."
+msgid "Authentication Authority"
+msgstr "Помилка під час спроби розпізнавання."
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
 msgid "NT Authority"
 msgstr "Служба сертифікації NT (NT Authority)"
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
-#: include/ldap_id_mapping.xml:295
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr "Вбудована (Built-in)"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
@@ -21246,16 +21388,27 @@ msgstr ""
 "доменів для повернення повних назв добре відомих (Well-Known) SID."
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
+#, fuzzy
+#| msgid ""
+#| "Since some utilities allow to modify SID based access control information "
+#| "with the help of a name instead of using the SID directly SSSD supports "
+#| "to look up the SID by the name as well. To avoid collisions only the "
+#| "fully qualified names can be used to look up Well-Known SIDs. As a result "
+#| "the domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</"
+#| "quote>, <quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</"
+#| "quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not "
+#| "be used as domain names in <filename>sssd.conf</filename>."
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 "Оскільки деякі з програм надають змогу змінювати дані щодо керування "
 "доступом на основі SID за допомогою назви, а не безпосереднього "
@@ -22117,13 +22270,38 @@ msgstr ""
 "розташувати відповідний запис таблиці ключів на останньому місці або зробити "
 "його єдиним записом у файлі таблиці ключів."
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+#, fuzzy
+#| msgid "Default: false (AD provider: true)"
+msgid "Default: false (IPA and AD provider: true)"
+msgstr "Типове значення: false (надається AD: true)"
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+"З докладнішими відомостями щодо параметра «dns_discovery_domain» можна "
+"ознайомитися на сторінці підручника (man) <citerefentry> <refentrytitle>sssd."
+"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr "krb5_renewable_lifetime (рядок)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
@@ -22132,38 +22310,38 @@ msgstr ""
 "за допомогою цілого числа, за яким одразу вказано одиницю часу:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr "<emphasis>s</emphasis> — секунди"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr "<emphasis>m</emphasis> — хвилини"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr "<emphasis>h</emphasis> — години"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr "<emphasis>d</emphasis> — дні."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 "Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю "
 "<emphasis>s</emphasis>."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
@@ -22173,17 +22351,17 @@ msgstr ""
 "«1h30m»."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr "Типове значення: не встановлено, тобто TGT не є оновлюваним"
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr "krb5_lifetime (рядок)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
@@ -22192,14 +22370,14 @@ msgstr ""
 "цілого числа, за яким одразу вказано одиницю часу:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 "Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю "
 "<emphasis>s</emphasis>."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
@@ -22209,7 +22387,7 @@ msgstr ""
 "«1h30m»."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
@@ -22217,12 +22395,12 @@ msgstr ""
 "визначатиметься у налаштуваннях KDC."
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr "krb5_renew_interval (рядок)"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -22234,14 +22412,14 @@ msgstr ""
 "одиниці часу:"
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 "Якщо значення для цього параметра встановлено не буде або буде встановлено "
 "значення 0, автоматичного оновлення не відбуватиметься."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."
@@ -22249,6 +22427,17 @@ msgstr ""
 "Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у "
 "канонічну форму. Цю можливість передбачено з версії MIT Kerberos 1.7."
 
+#~ msgid ""
+#~ "Apply additional checks on the PAC of the Kerberos ticket which is "
+#~ "available in Active Directory and FreeIPA domains, if configured. The "
+#~ "following options can be used alone or in a comma-separated list: "
+#~ "<placeholder type=\"variablelist\" id=\"0\"/>"
+#~ msgstr ""
+#~ "Застосувати додаткові перевірки щодо PAC квитка Kerberos, який доступний "
+#~ "у доменах Active Directory і FreeIPA, якщо налаштовано. Вказані нижче "
+#~ "параметри може бути застосовано окремо або у форматі списку відокремлених "
+#~ "комами значень: <placeholder type=\"variablelist\" id=\"0\"/>"
+
 #~ msgid ""
 #~ "Both a user name and a uid can be used but the user should be a local "
 #~ "one, i.e. accessible via <quote>files</quote> service of "
diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po
index 85399591bbe..6cd4e4cb2c8 100644
--- a/src/man/po/zh_CN.po
+++ b/src/man/po/zh_CN.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2022-08-26 21:52+0200\n"
+"POT-Creation-Date: 2022-10-07 12:48+0200\n"
 "PO-Revision-Date: 2020-07-22 07:51-0400\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/"
@@ -207,10 +207,10 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:133 sssd.conf.5.xml:170 sssd.conf.5.xml:355
 #: sssd.conf.5.xml:647 sssd.conf.5.xml:706 sssd.conf.5.xml:721
-#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1021
-#: sssd-ldap.5.xml:1119 sssd-ldap.5.xml:1188 sssd-ldap.5.xml:1683
-#: sssd-ldap.5.xml:1748 sssd-ipa.5.xml:341 sssd-ad.5.xml:229 sssd-ad.5.xml:343
-#: sssd-ad.5.xml:1177 sssd-ad.5.xml:1325 sssd-krb5.5.xml:358
+#: sssd.conf.5.xml:1030 sssd.conf.5.xml:2122 sssd-ldap.5.xml:1071
+#: sssd-ldap.5.xml:1174 sssd-ldap.5.xml:1243 sssd-ldap.5.xml:1738
+#: sssd-ldap.5.xml:1803 sssd-ipa.5.xml:341 sssd-ad.5.xml:244 sssd-ad.5.xml:358
+#: sssd-ad.5.xml:1192 sssd-ad.5.xml:1340 sssd-krb5.5.xml:358
 msgid "Default: true"
 msgstr ""
 
@@ -228,12 +228,12 @@ msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:146 sssd.conf.5.xml:644 sssd.conf.5.xml:912
-#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3976
-#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:872 sssd-ldap.5.xml:891
-#: sssd-ldap.5.xml:1091 sssd-ldap.5.xml:1532 sssd-ldap.5.xml:1772
-#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1083
+#: sssd.conf.5.xml:2025 sssd.conf.5.xml:2092 sssd.conf.5.xml:3982
+#: sssd-ldap.5.xml:312 sssd-ldap.5.xml:917 sssd-ldap.5.xml:936
+#: sssd-ldap.5.xml:1146 sssd-ldap.5.xml:1587 sssd-ldap.5.xml:1827
+#: sssd-ipa.5.xml:151 sssd-ipa.5.xml:253 sssd-ipa.5.xml:603 sssd-ad.5.xml:1098
 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432
-#: include/krb5_options.xml:29 include/krb5_options.xml:154
+#: include/krb5_options.xml:163
 msgid "Default: false"
 msgstr ""
 
@@ -265,8 +265,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: outside any tag (error?)
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1589
-#: sssd-ldap.5.xml:1795 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:181 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:1850 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143
 #: sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 sssd-systemtap.5.xml:330
 #: sssd-ldap-attributes.5.xml:40 sssd-ldap-attributes.5.xml:646
 #: sssd-ldap-attributes.5.xml:784 sssd-ldap-attributes.5.xml:873
@@ -296,7 +296,7 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:193 sssd.conf.5.xml:1250 sssd.conf.5.xml:1703
-#: sssd.conf.5.xml:3992 sssd-ldap.5.xml:720 include/ldap_id_mapping.xml:270
+#: sssd.conf.5.xml:3998 sssd-ldap.5.xml:765 include/ldap_id_mapping.xml:270
 msgid "Default: 10"
 msgstr ""
 
@@ -372,8 +372,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3571
-#: sssd.conf.5.xml:3610 include/failover.xml:100
+#: sssd.conf.5.xml:263 sssd.conf.5.xml:755 sssd.conf.5.xml:3583
+#: include/failover.xml:100
 msgid "Default: 3"
 msgstr "默认： 3"
 
@@ -394,7 +394,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:284 sssd.conf.5.xml:3421
+#: sssd.conf.5.xml:284 sssd.conf.5.xml:3433
 msgid "re_expression (string)"
 msgstr ""
 
@@ -414,12 +414,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:301 sssd.conf.5.xml:3460
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3472
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:304 sssd.conf.5.xml:3463
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3475
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -427,39 +427,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:315 sssd.conf.5.xml:3474
+#: sssd.conf.5.xml:315 sssd.conf.5.xml:3486
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:316 sssd.conf.5.xml:3475
+#: sssd.conf.5.xml:316 sssd.conf.5.xml:3487
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:319 sssd.conf.5.xml:3478
+#: sssd.conf.5.xml:319 sssd.conf.5.xml:3490
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:322 sssd.conf.5.xml:3481
+#: sssd.conf.5.xml:322 sssd.conf.5.xml:3493
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:328 sssd.conf.5.xml:3487
+#: sssd.conf.5.xml:328 sssd.conf.5.xml:3499
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:331 sssd.conf.5.xml:3490
+#: sssd.conf.5.xml:331 sssd.conf.5.xml:3502
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:312 sssd.conf.5.xml:3471
+#: sssd.conf.5.xml:312 sssd.conf.5.xml:3483
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -597,11 +597,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:460 sssd-ldap.5.xml:831 sssd-ldap.5.xml:843
-#: sssd-ldap.5.xml:935 sssd-ad.5.xml:897 sssd-ad.5.xml:972 sssd-krb5.5.xml:468
+#: sssd.conf.5.xml:460 sssd-ldap.5.xml:876 sssd-ldap.5.xml:888
+#: sssd-ldap.5.xml:980 sssd-ad.5.xml:912 sssd-ad.5.xml:987 sssd-krb5.5.xml:468
 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:959
 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
-#: include/krb5_options.xml:139
+#: include/krb5_options.xml:148
 msgid "Default: not set"
 msgstr ""
 
@@ -867,8 +867,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4042
-#: sssd-ad.5.xml:164 sssd-ad.5.xml:304 sssd-ad.5.xml:318
+#: sssd.conf.5.xml:692 sssd.conf.5.xml:1715 sssd.conf.5.xml:4048
+#: sssd-ad.5.xml:179 sssd-ad.5.xml:319 sssd-ad.5.xml:333
 msgid "Default: Not set"
 msgstr ""
 
@@ -1015,7 +1015,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:821 sssd.conf.5.xml:1161 sssd.conf.5.xml:1542
-#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:469
+#: sssd.conf.5.xml:1804 sssd-ldap.5.xml:494
 msgid "Default: 60"
 msgstr ""
 
@@ -1121,7 +1121,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:900 sssd.conf.5.xml:1174 sssd.conf.5.xml:2246
-#: sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:331
 msgid "Default: 300"
 msgstr ""
 
@@ -1490,7 +1490,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2849 sssd-ldap.5.xml:513
+#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2856 sssd-ldap.5.xml:548
 msgid "Default: 8"
 msgstr ""
 
@@ -1516,8 +1516,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3631
-#: sssd-ldap.5.xml:453 sssd-ldap.5.xml:495 include/failover.xml:116
+#: sssd.conf.5.xml:1225 sssd.conf.5.xml:1277 sssd.conf.5.xml:3604
+#: sssd-ldap.5.xml:473 sssd-ldap.5.xml:525 include/failover.xml:116
 #: include/krb5_options.xml:11
 msgid "Default: 6"
 msgstr ""
@@ -1825,7 +1825,7 @@ msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2873
+#: sssd.conf.5.xml:1511 sssd.conf.5.xml:2880
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
@@ -1838,7 +1838,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2876
+#: sssd.conf.5.xml:1520 sssd.conf.5.xml:2883
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1852,7 +1852,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3824 sssd-ldap.5.xml:561 sssd.8.xml:79
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:3830 sssd-ldap.5.xml:606 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
@@ -1915,8 +1915,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590 sssd.conf.5.xml:1615 sssd.conf.5.xml:1634
-#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2622 sssd.conf.5.xml:3753
-#: sssd-ldap.5.xml:1152
+#: sssd.conf.5.xml:1837 sssd.conf.5.xml:2629 sssd.conf.5.xml:3759
+#: sssd-ldap.5.xml:1207
 msgid "Default: none"
 msgstr ""
 
@@ -1981,9 +1981,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:626 sssd-ldap.5.xml:647
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:1238 sssd-ad.5.xml:482 sssd-ad.5.xml:558
-#: sssd-ad.5.xml:1103 sssd-ad.5.xml:1152 include/ldap_id_mapping.xml:250
+#: sssd.conf.5.xml:1648 sssd-ldap.5.xml:671 sssd-ldap.5.xml:692
+#: sssd-ldap.5.xml:788 sssd-ldap.5.xml:1293 sssd-ad.5.xml:497 sssd-ad.5.xml:573
+#: sssd-ad.5.xml:1118 sssd-ad.5.xml:1167 include/ldap_id_mapping.xml:250
 msgid "Default: False"
 msgstr ""
 
@@ -1998,7 +1998,7 @@ msgid "The path to the certificate database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4156
+#: sssd.conf.5.xml:1659 sssd.conf.5.xml:2172 sssd.conf.5.xml:4162
 msgid "Default:"
 msgstr ""
 
@@ -2094,48 +2094,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1742 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
-#: sssd-ad.5.xml:846 sssd-ad.5.xml:924
+#: sssd.conf.5.xml:1742 sssd-ad.5.xml:636 sssd-ad.5.xml:745 sssd-ad.5.xml:803
+#: sssd-ad.5.xml:861 sssd-ad.5.xml:939
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1747 sssd-ad.5.xml:625
+#: sssd.conf.5.xml:1747 sssd-ad.5.xml:640
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1752 sssd-ad.5.xml:630
+#: sssd.conf.5.xml:1752 sssd-ad.5.xml:645
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1757 sssd-ad.5.xml:635
+#: sssd.conf.5.xml:1757 sssd-ad.5.xml:650
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1762 sssd-ad.5.xml:650
+#: sssd.conf.5.xml:1762 sssd-ad.5.xml:665
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1767 sssd-ad.5.xml:645
+#: sssd.conf.5.xml:1767 sssd-ad.5.xml:660
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1772 sssd-ad.5.xml:655
+#: sssd.conf.5.xml:1772 sssd-ad.5.xml:670
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1777 sssd-ad.5.xml:933
+#: sssd.conf.5.xml:1777 sssd-ad.5.xml:948
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1782 sssd-ad.5.xml:938
+#: sssd.conf.5.xml:1782 sssd-ad.5.xml:953
 msgid "sudo-i"
 msgstr ""
 
@@ -2253,7 +2253,7 @@ msgid "Default: no_session"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4095
+#: sssd.conf.5.xml:1874 sssd.conf.5.xml:4101
 msgid "pam_gssapi_services"
 msgstr ""
 
@@ -2287,7 +2287,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3747
+#: sssd.conf.5.xml:1892 sssd.conf.5.xml:3753
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -2297,7 +2297,7 @@ msgid "Default: - (GSSAPI authentication is disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4096
+#: sssd.conf.5.xml:1903 sssd.conf.5.xml:4102
 msgid "pam_gssapi_check_upn"
 msgstr ""
 
@@ -2317,7 +2317,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1243 sss_rpcidmapd.5.xml:76
+#: sssd.conf.5.xml:1923 sssd-ad.5.xml:1258 sss_rpcidmapd.5.xml:76
 #: sssd-files.5.xml:146
 msgid "Default: True"
 msgstr ""
@@ -2677,25 +2677,36 @@ msgstr ""
 msgid "pac_check (string)"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2254
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, i.e. "
+"the krb5_validate option must be set to 'True' which is the default for the "
+"IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
+"be skipped."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2261
+#: sssd.conf.5.xml:2268
 msgid "no_check"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2270
 msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2276
 msgid "pac_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2271
+#: sssd.conf.5.xml:2278
 msgid ""
 "The PAC must be present in the service ticket which SSSD will request with "
 "the help of the user's TGT. If the PAC is not available the authentication "
@@ -2703,73 +2714,71 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2279
+#: sssd.conf.5.xml:2286
 msgid "check_upn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2281
+#: sssd.conf.5.xml:2288
 msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2294
 msgid "upn_dns_info_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2289
+#: sssd.conf.5.xml:2296
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2301
 msgid "check_upn_dns_info_ex"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2296
+#: sssd.conf.5.xml:2303
 msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2303
+#: sssd.conf.5.xml:2310
 msgid "upn_dns_info_ex_present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2305
+#: sssd.conf.5.xml:2312
 msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2264
 msgid ""
-"Apply additional checks on the PAC of the Kerberos ticket which is available "
-"in Active Directory and FreeIPA domains, if configured. The following "
-"options can be used alone or in a comma-separated list: <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2315
+#: sssd.conf.5.xml:2322
 msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_dns_info_ex')"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2324
+#: sssd.conf.5.xml:2331
 msgid "Session recording configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2326
+#: sssd.conf.5.xml:2333
 msgid ""
 "Session recording works in conjunction with <citerefentry> "
 "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
@@ -2779,66 +2788,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2339
+#: sssd.conf.5.xml:2346
 msgid "These options can be used to configure session recording."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2343 sssd-session-recording.5.xml:64
+#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:64
 msgid "scope (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-session-recording.5.xml:71
+#: sssd.conf.5.xml:2357 sssd-session-recording.5.xml:71
 msgid "\"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:74
+#: sssd.conf.5.xml:2360 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2358 sssd-session-recording.5.xml:79
+#: sssd.conf.5.xml:2365 sssd-session-recording.5.xml:79
 msgid "\"some\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2361 sssd-session-recording.5.xml:82
+#: sssd.conf.5.xml:2368 sssd-session-recording.5.xml:82
 msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2370 sssd-session-recording.5.xml:91
+#: sssd.conf.5.xml:2377 sssd-session-recording.5.xml:91
 msgid "\"all\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2373 sssd-session-recording.5.xml:94
+#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2346 sssd-session-recording.5.xml:67
+#: sssd.conf.5.xml:2353 sssd-session-recording.5.xml:67
 msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2380 sssd-session-recording.5.xml:101
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2385 sssd-session-recording.5.xml:106
+#: sssd.conf.5.xml:2392 sssd-session-recording.5.xml:106
 msgid "users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388 sssd-session-recording.5.xml:109
+#: sssd.conf.5.xml:2395 sssd-session-recording.5.xml:109
 msgid ""
 "A comma-separated list of users which should have session recording enabled. "
 "Matches user names as returned by NSS. I.e. after the possible space "
@@ -2846,17 +2855,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:115
+#: sssd.conf.5.xml:2401 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2399 sssd-session-recording.5.xml:120
+#: sssd.conf.5.xml:2406 sssd-session-recording.5.xml:120
 msgid "groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:123
+#: sssd.conf.5.xml:2409 sssd-session-recording.5.xml:123
 msgid ""
 "A comma-separated list of groups, members of which should have session "
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
@@ -2864,7 +2873,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408 sssd.conf.5.xml:2440 sssd-session-recording.5.xml:129
+#: sssd.conf.5.xml:2415 sssd.conf.5.xml:2447 sssd-session-recording.5.xml:129
 #: sssd-session-recording.5.xml:161
 msgid ""
 "NOTE: using this option (having it set to anything) has a considerable "
@@ -2873,56 +2882,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2415 sssd-session-recording.5.xml:136
+#: sssd.conf.5.xml:2422 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2420 sssd-session-recording.5.xml:141
+#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:141
 msgid "exclude_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2423 sssd-session-recording.5.xml:144
+#: sssd.conf.5.xml:2430 sssd-session-recording.5.xml:144
 msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2427 sssd-session-recording.5.xml:148
+#: sssd.conf.5.xml:2434 sssd-session-recording.5.xml:148
 msgid "Default: Empty. No users excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:153
+#: sssd.conf.5.xml:2439 sssd-session-recording.5.xml:153
 msgid "exclude_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435 sssd-session-recording.5.xml:156
+#: sssd.conf.5.xml:2442 sssd-session-recording.5.xml:156
 msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2447 sssd-session-recording.5.xml:168
+#: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:168
 msgid "Default: Empty. No groups excluded."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2464
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2464
+#: sssd.conf.5.xml:2471
 msgid "enabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2467
+#: sssd.conf.5.xml:2474
 msgid ""
 "Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
 "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
@@ -2932,12 +2941,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2479
+#: sssd.conf.5.xml:2486
 msgid "domain_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2482
+#: sssd.conf.5.xml:2489
 msgid ""
 "Specifies whether the domain is meant to be used by POSIX-aware clients such "
 "as the Name Service Switch or by applications that do not need POSIX data to "
@@ -2946,14 +2955,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2490
+#: sssd.conf.5.xml:2497
 msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2494
+#: sssd.conf.5.xml:2501
 msgid ""
 "POSIX domains are reachable by all services. Application domains are only "
 "reachable from the InfoPipe responder (see <citerefentry> "
@@ -2962,38 +2971,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2502
+#: sssd.conf.5.xml:2509
 msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2513
 msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2510
+#: sssd.conf.5.xml:2517
 msgid "Default: posix"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2523
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2519
+#: sssd.conf.5.xml:2526
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2524
+#: sssd.conf.5.xml:2531
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -3002,24 +3011,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2531
+#: sssd.conf.5.xml:2538
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2535
+#: sssd.conf.5.xml:2542
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2548
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2544
+#: sssd.conf.5.xml:2551
 msgid ""
 "Determines if a domain can be enumerated, that is, whether the domain can "
 "list all the users and group it contains. Note that it is not required to "
@@ -3028,29 +3037,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2552
+#: sssd.conf.5.xml:2559
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2555
+#: sssd.conf.5.xml:2562
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2558 sssd.conf.5.xml:2828 sssd.conf.5.xml:3000
+#: sssd.conf.5.xml:2565 sssd.conf.5.xml:2835 sssd.conf.5.xml:3012
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2561
+#: sssd.conf.5.xml:2568
 msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2573
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -3064,14 +3073,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2588
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2586
+#: sssd.conf.5.xml:2593
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -3080,39 +3089,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2594
+#: sssd.conf.5.xml:2601
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2602
+#: sssd.conf.5.xml:2609
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2609
+#: sssd.conf.5.xml:2616
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2610
+#: sssd.conf.5.xml:2617
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2613
+#: sssd.conf.5.xml:2620
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2621
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2605
+#: sssd.conf.5.xml:2612
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -3121,19 +3130,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2628
+#: sssd.conf.5.xml:2635
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2631
+#: sssd.conf.5.xml:2638
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2635
+#: sssd.conf.5.xml:2642
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -3144,139 +3153,139 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2648
+#: sssd.conf.5.xml:2655
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2654
+#: sssd.conf.5.xml:2661
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2657
+#: sssd.conf.5.xml:2664
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2661 sssd.conf.5.xml:2674 sssd.conf.5.xml:2687
-#: sssd.conf.5.xml:2700 sssd.conf.5.xml:2714 sssd.conf.5.xml:2727
-#: sssd.conf.5.xml:2741 sssd.conf.5.xml:2755 sssd.conf.5.xml:2768
+#: sssd.conf.5.xml:2668 sssd.conf.5.xml:2681 sssd.conf.5.xml:2694
+#: sssd.conf.5.xml:2707 sssd.conf.5.xml:2721 sssd.conf.5.xml:2734
+#: sssd.conf.5.xml:2748 sssd.conf.5.xml:2762 sssd.conf.5.xml:2775
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2667
+#: sssd.conf.5.xml:2674
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2670
+#: sssd.conf.5.xml:2677
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2680
+#: sssd.conf.5.xml:2687
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2683
+#: sssd.conf.5.xml:2690
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2693
+#: sssd.conf.5.xml:2700
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2696
+#: sssd.conf.5.xml:2703
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2706
+#: sssd.conf.5.xml:2713
 msgid "entry_cache_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2709
+#: sssd.conf.5.xml:2716
 msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2720
+#: sssd.conf.5.xml:2727
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2723
+#: sssd.conf.5.xml:2730
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2733
+#: sssd.conf.5.xml:2740
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2736
+#: sssd.conf.5.xml:2743
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2747
+#: sssd.conf.5.xml:2754
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2750
+#: sssd.conf.5.xml:2757
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2761
+#: sssd.conf.5.xml:2768
 msgid "entry_cache_computer_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2764
+#: sssd.conf.5.xml:2771
 msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2774
+#: sssd.conf.5.xml:2781
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2777
+#: sssd.conf.5.xml:2784
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2782
+#: sssd.conf.5.xml:2789
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache. For users who have performed the initgroups (get group membership for "
@@ -3285,17 +3294,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2790
+#: sssd.conf.5.xml:2797
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2794
+#: sssd.conf.5.xml:2801
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2798
+#: sssd.conf.5.xml:2805
 msgid ""
 "Cache entry will be refreshed by background task when 2/3 of cache timeout "
 "has already passed.  If there are existing cached entries, the background "
@@ -3307,33 +3316,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2811 sssd-ldap.5.xml:350 sssd-ldap.5.xml:1669
+#: sssd.conf.5.xml:2818 sssd-ldap.5.xml:360 sssd-ldap.5.xml:1724
 #: sssd-ipa.5.xml:269
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2817
+#: sssd.conf.5.xml:2824
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2820
+#: sssd.conf.5.xml:2827
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2824
+#: sssd.conf.5.xml:2831
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2834
+#: sssd.conf.5.xml:2841
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2837
+#: sssd.conf.5.xml:2844
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -3341,19 +3350,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2844
+#: sssd.conf.5.xml:2851
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2855
+#: sssd.conf.5.xml:2862
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2858
+#: sssd.conf.5.xml:2865
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -3362,17 +3371,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2865
+#: sssd.conf.5.xml:2872
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2870
+#: sssd.conf.5.xml:2877
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2881
+#: sssd.conf.5.xml:2888
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -3381,28 +3390,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2888
+#: sssd.conf.5.xml:2895
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2894
+#: sssd.conf.5.xml:2901
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2897
+#: sssd.conf.5.xml:2904
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2901
+#: sssd.conf.5.xml:2908
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2904
+#: sssd.conf.5.xml:2911
 msgid ""
 "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-"
 "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3410,7 +3419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2912
+#: sssd.conf.5.xml:2919
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -3418,8 +3427,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2920 sssd.conf.5.xml:3026 sssd.conf.5.xml:3077
-#: sssd.conf.5.xml:3140
+#: sssd.conf.5.xml:2927 sssd.conf.5.xml:3038 sssd.conf.5.xml:3089
+#: sssd.conf.5.xml:3152
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -3428,8 +3437,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2929 sssd.conf.5.xml:3035 sssd.conf.5.xml:3086
-#: sssd.conf.5.xml:3149
+#: sssd.conf.5.xml:2936 sssd.conf.5.xml:3047 sssd.conf.5.xml:3098
+#: sssd.conf.5.xml:3161
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3437,19 +3446,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2940
+#: sssd.conf.5.xml:2947
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2943
+#: sssd.conf.5.xml:2950
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2948
+#: sssd.conf.5.xml:2955
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -3458,7 +3467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2956
+#: sssd.conf.5.xml:2963
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -3466,24 +3475,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2963
+#: sssd.conf.5.xml:2970
 msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2970
+#: sssd.conf.5.xml:2977
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2973
+#: sssd.conf.5.xml:2980
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2976
+#: sssd.conf.5.xml:2983
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -3495,27 +3504,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2994
+#: sssd.conf.5.xml:3001
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3007 sssd.conf.5.xml:3675 sssd-ldap.5.xml:326
+#: sssd-ldap.5.xml:355 sssd-ldap.5.xml:408 sssd-ldap.5.xml:468
+#: sssd-ldap.5.xml:489 sssd-ldap.5.xml:520 sssd-ldap.5.xml:543
+#: sssd-ldap.5.xml:582 sssd-ldap.5.xml:601 sssd-ldap.5.xml:625
+#: sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1084
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3005
+#: sssd.conf.5.xml:3017
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3008
+#: sssd.conf.5.xml:3020
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3012 sssd.conf.5.xml:3070
+#: sssd.conf.5.xml:3024 sssd.conf.5.xml:3082
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3523,7 +3543,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3019
+#: sssd.conf.5.xml:3031
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3531,30 +3551,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3043
+#: sssd.conf.5.xml:3055
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3046
+#: sssd.conf.5.xml:3058
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3049
+#: sssd.conf.5.xml:3061
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3055
+#: sssd.conf.5.xml:3067
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3058
+#: sssd.conf.5.xml:3070
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -3562,19 +3582,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3064
+#: sssd.conf.5.xml:3076
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3067
+#: sssd.conf.5.xml:3079
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3094
+#: sssd.conf.5.xml:3106
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -3583,7 +3603,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3101
+#: sssd.conf.5.xml:3113
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -3591,29 +3611,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3108
+#: sssd.conf.5.xml:3120
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3111
+#: sssd.conf.5.xml:3123
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3116
+#: sssd.conf.5.xml:3128
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3119
+#: sssd.conf.5.xml:3131
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3124
+#: sssd.conf.5.xml:3136
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3621,7 +3641,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3132
+#: sssd.conf.5.xml:3144
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3629,35 +3649,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3157
+#: sssd.conf.5.xml:3169
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3161
+#: sssd.conf.5.xml:3173
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3164
+#: sssd.conf.5.xml:3176
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3171
+#: sssd.conf.5.xml:3183
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3174
+#: sssd.conf.5.xml:3186
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3178
+#: sssd.conf.5.xml:3190
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3665,32 +3685,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3186
+#: sssd.conf.5.xml:3198
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3190
+#: sssd.conf.5.xml:3202
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3194
+#: sssd.conf.5.xml:3206
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3197 sssd.conf.5.xml:3283 sssd.conf.5.xml:3353
-#: sssd.conf.5.xml:3378 sssd.conf.5.xml:3414
+#: sssd.conf.5.xml:3209 sssd.conf.5.xml:3295 sssd.conf.5.xml:3365
+#: sssd.conf.5.xml:3390 sssd.conf.5.xml:3426
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3201
+#: sssd.conf.5.xml:3213
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -3701,7 +3721,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3216
+#: sssd.conf.5.xml:3228
 msgid ""
 "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
 "background unless the sudo provider is explicitly disabled. Set "
@@ -3710,12 +3730,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3226
+#: sssd.conf.5.xml:3238
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3229
+#: sssd.conf.5.xml:3241
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3723,7 +3743,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3235
+#: sssd.conf.5.xml:3247
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3731,31 +3751,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3243
+#: sssd.conf.5.xml:3255
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3246
+#: sssd.conf.5.xml:3258
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3252
+#: sssd.conf.5.xml:3264
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3255
+#: sssd.conf.5.xml:3267
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3261
+#: sssd.conf.5.xml:3273
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3763,7 +3783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3270
+#: sssd.conf.5.xml:3282
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3772,17 +3792,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3279
+#: sssd.conf.5.xml:3291
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3289
+#: sssd.conf.5.xml:3301
 msgid "session_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3292
+#: sssd.conf.5.xml:3304
 msgid ""
 "The provider which configures and manages user session related tasks. The "
 "only user session task currently provided is the integration with Fleet "
@@ -3790,43 +3810,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3299
+#: sssd.conf.5.xml:3311
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3303
+#: sssd.conf.5.xml:3315
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3307
+#: sssd.conf.5.xml:3319
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can perform "
 "session related tasks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3311
+#: sssd.conf.5.xml:3323
 msgid ""
 "<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
 "SSSD must be running as \"root\" and not as the unprivileged user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3319
+#: sssd.conf.5.xml:3331
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3322
+#: sssd.conf.5.xml:3334
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3326
+#: sssd.conf.5.xml:3338
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3834,7 +3854,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3333
+#: sssd.conf.5.xml:3345
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3842,7 +3862,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3341
+#: sssd.conf.5.xml:3353
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3850,24 +3870,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3350
+#: sssd.conf.5.xml:3362
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3360
+#: sssd.conf.5.xml:3372
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3363
+#: sssd.conf.5.xml:3375
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3367
+#: sssd.conf.5.xml:3379
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3875,31 +3895,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3375
+#: sssd.conf.5.xml:3387
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3385
+#: sssd.conf.5.xml:3397
 msgid "resolver_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3388
+#: sssd.conf.5.xml:3400
 msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3392
+#: sssd.conf.5.xml:3404
 msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3396
+#: sssd.conf.5.xml:3408
 msgid ""
 "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -3907,7 +3927,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3403
+#: sssd.conf.5.xml:3415
 msgid ""
 "<quote>ad</quote> to fetch hosts and networks stored in AD. See "
 "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</"
@@ -3916,12 +3936,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3411
+#: sssd.conf.5.xml:3423
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3424
+#: sssd.conf.5.xml:3436
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3931,7 +3951,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3433
+#: sssd.conf.5.xml:3445
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))|(^(?"
@@ -3940,29 +3960,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3438
+#: sssd.conf.5.xml:3450
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3441
+#: sssd.conf.5.xml:3453
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:3444
+#: sssd.conf.5.xml:3456
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3447
+#: sssd.conf.5.xml:3459
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3452
+#: sssd.conf.5.xml:3464
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3970,104 +3990,102 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3500
+#: sssd.conf.5.xml:3512
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3506
+#: sssd.conf.5.xml:3518
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3509
+#: sssd.conf.5.xml:3521
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3513
+#: sssd.conf.5.xml:3525
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3516
+#: sssd.conf.5.xml:3528
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3519
+#: sssd.conf.5.xml:3531
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3522
+#: sssd.conf.5.xml:3534
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3525
+#: sssd.conf.5.xml:3537
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3528
+#: sssd.conf.5.xml:3540
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3534 sssd.conf.5.xml:3577
+#: sssd.conf.5.xml:3546
 msgid "dns_resolver_server_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3537 sssd.conf.5.xml:3580
+#: sssd.conf.5.xml:3549
 msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3542
+#: sssd.conf.5.xml:3554
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3546 sssd.conf.5.xml:3566 sssd.conf.5.xml:3585
-#: sssd.conf.5.xml:3605 sssd.conf.5.xml:3626
+#: sssd.conf.5.xml:3558 sssd.conf.5.xml:3578 sssd.conf.5.xml:3599
 msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3551 sssd.conf.5.xml:3590 sssd-ldap.5.xml:599
-#: include/failover.xml:84
+#: sssd.conf.5.xml:3563 sssd-ldap.5.xml:644 include/failover.xml:84
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3557 sssd.conf.5.xml:3596
+#: sssd.conf.5.xml:3569
 msgid "dns_resolver_op_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3560 sssd.conf.5.xml:3599
+#: sssd.conf.5.xml:3572
 msgid ""
 "Defines the amount of time (in seconds) to wait to resolve single DNS query "
-"(e.g. resolution of a hostname or an SRV record)  before try next hostname "
-"or DNS discovery."
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3616
+#: sssd.conf.5.xml:3589
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3619
+#: sssd.conf.5.xml:3592
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the "
 "internal fail over service before assuming that the service is unreachable. "
@@ -4076,64 +4094,64 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3637
+#: sssd.conf.5.xml:3610
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3640
+#: sssd.conf.5.xml:3613
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3644
+#: sssd.conf.5.xml:3617
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3650
+#: sssd.conf.5.xml:3623
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3653
+#: sssd.conf.5.xml:3626
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3659
+#: sssd.conf.5.xml:3632
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3666
+#: sssd.conf.5.xml:3639
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3669
+#: sssd.conf.5.xml:3642
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3675
+#: sssd.conf.5.xml:3648
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3677
+#: sssd.conf.5.xml:3650
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3681
+#: sssd.conf.5.xml:3654
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3684
+#: sssd.conf.5.xml:3657
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -4141,38 +4159,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3692
+#: sssd.conf.5.xml:3665
 msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3662
+#: sssd.conf.5.xml:3635
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3702 sssd-ldap.5.xml:580
-msgid ""
-"This option can be also set per subdomain or inherited via "
-"<emphasis>subdomain_inherit</emphasis>."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3707
+#: sssd.conf.5.xml:3680
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3713
+#: sssd.conf.5.xml:3686
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3716
+#: sssd.conf.5.xml:3689
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -4180,49 +4191,104 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3722
-msgid "ignore_group_members"
+#: sssd.conf.5.xml:3695
+msgid "ldap_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3698
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3701
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3704
+msgid "ldap_offline_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3725
+#: sssd.conf.5.xml:3707
+msgid "ldap_enumeration_refresh_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3710
+msgid "ldap_enumeration_refresh_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3713
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3728
+#: sssd.conf.5.xml:3716
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3719
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3723
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3726
+msgid "ldap_enumeration_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3729
+msgid "ldap_connection_expire_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3732
+msgid "ldap_connection_expire_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3735
 msgid "ldap_connection_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3731 sssd-ldap.5.xml:390
+#: sssd.conf.5.xml:3738 sssd-ldap.5.xml:400
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3734
+#: sssd.conf.5.xml:3741
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3737
-msgid ""
-"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
-"is not set explicitly)"
+#: sssd.conf.5.xml:3744
+msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3741
+#: sssd.conf.5.xml:3747
 msgid "auto_private_groups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3744
+#: sssd.conf.5.xml:3750
 msgid "case_sensitive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3749
+#: sssd.conf.5.xml:3755
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -4230,27 +4296,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3756
+#: sssd.conf.5.xml:3762
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3763
+#: sssd.conf.5.xml:3769
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3774
+#: sssd.conf.5.xml:3780
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3775
+#: sssd.conf.5.xml:3781
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3766
+#: sssd.conf.5.xml:3772
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -4260,34 +4326,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3780
+#: sssd.conf.5.xml:3786
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3784
+#: sssd.conf.5.xml:3790
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3789
+#: sssd.conf.5.xml:3795
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3792
+#: sssd.conf.5.xml:3798
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3798
+#: sssd.conf.5.xml:3804
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3801
+#: sssd.conf.5.xml:3807
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -4296,19 +4362,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3809
+#: sssd.conf.5.xml:3815
 msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3814
+#: sssd.conf.5.xml:3820
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3818
+#: sssd.conf.5.xml:3824
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -4316,24 +4382,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3829
+#: sssd.conf.5.xml:3835
 msgid "auto_private_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3835
+#: sssd.conf.5.xml:3841
 msgid "true"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3838
+#: sssd.conf.5.xml:3844
 msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3842
+#: sssd.conf.5.xml:3848
 msgid ""
 "NOTE: Because the GID number and the user private group are inferred from "
 "the UID number, it is not supported to have multiple entries with the same "
@@ -4342,24 +4408,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3851
+#: sssd.conf.5.xml:3857
 msgid "false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3854
+#: sssd.conf.5.xml:3860
 msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3860
+#: sssd.conf.5.xml:3866
 msgid "hybrid"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3863
+#: sssd.conf.5.xml:3869
 msgid ""
 "A primary group is autogenerated for user entries whose UID and GID numbers "
 "have the same value and at the same time the GID number does not correspond "
@@ -4369,14 +4435,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3876
+#: sssd.conf.5.xml:3882
 msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3883
+#: sssd.conf.5.xml:3889
 msgid ""
 "This feature is useful for environments that wish to stop maintaining a "
 "separate group objects for the user private groups, but also wish to retain "
@@ -4384,21 +4450,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3832
+#: sssd.conf.5.xml:3838
 msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3895
+#: sssd.conf.5.xml:3901
 msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3903
+#: sssd.conf.5.xml:3909
 #, no-wrap
 msgid ""
 "[domain/forest.domain/sub.domain]\n"
@@ -4406,7 +4472,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:3909
+#: sssd.conf.5.xml:3915
 #, no-wrap
 msgid ""
 "[domain/forest.domain]\n"
@@ -4415,7 +4481,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3900
+#: sssd.conf.5.xml:3906
 msgid ""
 "The value of auto_private_groups can either be set per subdomains in a "
 "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
@@ -4424,7 +4490,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2466
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -4432,29 +4498,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3924
+#: sssd.conf.5.xml:3930
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3927
+#: sssd.conf.5.xml:3933
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3930
+#: sssd.conf.5.xml:3936
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3938
+#: sssd.conf.5.xml:3944
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3941
+#: sssd.conf.5.xml:3947
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -4462,12 +4528,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3951
+#: sssd.conf.5.xml:3957
 msgid "proxy_resolver_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3954
+#: sssd.conf.5.xml:3960
 msgid ""
 "The name of the NSS library to use for hosts and networks lookups in proxy "
 "domains. The NSS functions searched for in the library are in the form of "
@@ -4475,12 +4541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3971
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3968
+#: sssd.conf.5.xml:3974
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -4489,12 +4555,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:3982
+#: sssd.conf.5.xml:3988
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:3985
+#: sssd.conf.5.xml:3991
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -4502,19 +4568,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:3920
+#: sssd.conf.5.xml:3926
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:4001
+#: sssd.conf.5.xml:4007
 msgid "Application domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4003
+#: sssd.conf.5.xml:4009
 msgid ""
 "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
@@ -4531,7 +4597,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4023
+#: sssd.conf.5.xml:4029
 msgid ""
 "Please note that the application domain must still be explicitly enabled in "
 "the <quote>domains</quote> parameter so that the lookup order between the "
@@ -4539,17 +4605,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:4029
+#: sssd.conf.5.xml:4035
 msgid "Application domain parameters"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4031
+#: sssd.conf.5.xml:4037
 msgid "inherit_from (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4034
+#: sssd.conf.5.xml:4040
 msgid ""
 "The SSSD POSIX-type domain the application domain inherits all settings "
 "from. The application domain can moreover add its own settings to the "
@@ -4558,7 +4624,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:4048
+#: sssd.conf.5.xml:4054
 msgid ""
 "The following example illustrates the use of an application domain. In this "
 "setup, the POSIX domain is connected to an LDAP server and is used by the OS "
@@ -4568,7 +4634,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
-#: sssd.conf.5.xml:4056
+#: sssd.conf.5.xml:4062
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4588,12 +4654,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4076
+#: sssd.conf.5.xml:4082
 msgid "TRUSTED DOMAIN SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4078
+#: sssd.conf.5.xml:4084
 msgid ""
 "Some options used in the domain section can also be used in the trusted "
 "domain section, that is, in a section called <quote>[domain/"
@@ -4604,69 +4670,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4085
+#: sssd.conf.5.xml:4091
 msgid "ldap_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4086
+#: sssd.conf.5.xml:4092
 msgid "ldap_user_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4087
+#: sssd.conf.5.xml:4093
 msgid "ldap_group_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4088
+#: sssd.conf.5.xml:4094
 msgid "ldap_netgroup_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4089
+#: sssd.conf.5.xml:4095
 msgid "ldap_service_search_base,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4090
+#: sssd.conf.5.xml:4096
 msgid "ldap_sasl_mech,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4091
+#: sssd.conf.5.xml:4097
 msgid "ad_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4092
+#: sssd.conf.5.xml:4098
 msgid "ad_backup_server,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4093
+#: sssd.conf.5.xml:4099
 msgid "ad_site,"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4094 sssd-ipa.5.xml:825
+#: sssd.conf.5.xml:4100 sssd-ipa.5.xml:825
 msgid "use_fully_qualified_names"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4098
+#: sssd.conf.5.xml:4104
 msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4104
+#: sssd.conf.5.xml:4110
 msgid "CERTIFICATE MAPPING SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4106
+#: sssd.conf.5.xml:4112
 msgid ""
 "To allow authentication with Smartcards and certificates SSSD must be able "
 "to map certificates to users. This can be done by adding the full "
@@ -4679,7 +4745,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4120
+#: sssd.conf.5.xml:4126
 msgid ""
 "To make the mapping more flexible mapping and matching rules were added to "
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
@@ -4687,7 +4753,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4129
+#: sssd.conf.5.xml:4135
 msgid ""
 "A mapping and matching rule can be added to the SSSD configuration in a "
 "section on its own with a name like <quote>[certmap/"
@@ -4696,55 +4762,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4136
+#: sssd.conf.5.xml:4142
 msgid "matchrule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4139
+#: sssd.conf.5.xml:4145
 msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4143
+#: sssd.conf.5.xml:4149
 msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4150
+#: sssd.conf.5.xml:4156
 msgid "maprule (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4153
+#: sssd.conf.5.xml:4159
 msgid "Defines how the user is found for a given certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4159
+#: sssd.conf.5.xml:4165
 msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4165
+#: sssd.conf.5.xml:4171
 msgid ""
 "The RULE_NAME for the <quote>files</quote> provider which tries to find a "
 "user with the same name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4174
+#: sssd.conf.5.xml:4180
 msgid "domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4177
+#: sssd.conf.5.xml:4183
 msgid ""
 "Comma separated list of domain names the rule should be applied. By default "
 "a rule is only valid in the domain configured in sssd.conf. If the provider "
@@ -4753,17 +4819,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4184
+#: sssd.conf.5.xml:4190
 msgid "Default: the configured domain in sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4189
+#: sssd.conf.5.xml:4195
 msgid "priority (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4192
+#: sssd.conf.5.xml:4198
 msgid ""
 "Unsigned integer value defining the priority of the rule. The higher the "
 "number the lower the priority.  <quote>0</quote> stands for the highest "
@@ -4771,26 +4837,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4198
+#: sssd.conf.5.xml:4204
 msgid "Default: the lowest priority"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4204
+#: sssd.conf.5.xml:4210
 msgid ""
 "To make the configuration simple and reduce the amount of configuration "
 "options the <quote>files</quote> provider has some special properties:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4210
+#: sssd.conf.5.xml:4216
 msgid ""
 "if maprule is not set the RULE_NAME name is assumed to be the name of the "
 "matching user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4216
+#: sssd.conf.5.xml:4222
 msgid ""
 "if a maprule is used both a single user name or a template like "
 "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. "
@@ -4799,17 +4865,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:4225
+#: sssd.conf.5.xml:4231
 msgid "the <quote>domains</quote> option is ignored"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4233
+#: sssd.conf.5.xml:4239
 msgid "PROMPTING CONFIGURATION SECTION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4235
+#: sssd.conf.5.xml:4241
 msgid ""
 "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</"
 "filename>)  exists SSSD's PAM module pam_sss will ask SSSD to figure out "
@@ -4819,7 +4885,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4243
+#: sssd.conf.5.xml:4249
 msgid ""
 "With the growing number of authentication methods and the possibility that "
 "there are multiple ones for a single user the heuristic used by pam_sss to "
@@ -4828,59 +4894,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4255
+#: sssd.conf.5.xml:4261
 msgid "[prompting/password]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4258
+#: sssd.conf.5.xml:4264
 msgid "password_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4259
+#: sssd.conf.5.xml:4265
 msgid "to change the string of the password prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4257
+#: sssd.conf.5.xml:4263
 msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4267
+#: sssd.conf.5.xml:4273
 msgid "[prompting/2fa]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4271
+#: sssd.conf.5.xml:4277
 msgid "first_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4272
+#: sssd.conf.5.xml:4278
 msgid "to change the string of the prompt for the first factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4275
+#: sssd.conf.5.xml:4281
 msgid "second_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4276
+#: sssd.conf.5.xml:4282
 msgid "to change the string of the prompt for the second factor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:4279
+#: sssd.conf.5.xml:4285
 msgid "single_prompt"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4280
+#: sssd.conf.5.xml:4286
 msgid ""
 "boolean value, if True there will be only a single prompt using the value of "
 "first_prompt where it is expected that both factors are entered as a single "
@@ -4889,7 +4955,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:4269
+#: sssd.conf.5.xml:4275
 msgid ""
 "to configure two-factor authentication prompting, allowed options are: "
 "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
@@ -4898,7 +4964,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4250
+#: sssd.conf.5.xml:4256
 msgid ""
 "Each supported authentication method has its own configuration subsection "
 "under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
@@ -4907,7 +4973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4297
+#: sssd.conf.5.xml:4303
 msgid ""
 "It is possible to add a subsection for specific PAM services, e.g. "
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
@@ -4915,12 +4981,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:4304 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+#: sssd.conf.5.xml:4310 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4310
+#: sssd.conf.5.xml:4316
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -4950,7 +5016,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4306
+#: sssd.conf.5.xml:4312
 msgid ""
 "1. The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -4959,7 +5025,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4343
+#: sssd.conf.5.xml:4349
 #, no-wrap
 msgid ""
 "[domain/ipa.com/child.ad.com]\n"
@@ -4967,7 +5033,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4337
+#: sssd.conf.5.xml:4343
 msgid ""
 "2. The following example shows configuration of IPA AD trust where the AD "
 "forest consists of two domains in a parent-child structure.  Suppose IPA "
@@ -4978,7 +5044,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:4357
+#: sssd.conf.5.xml:4363
 #, no-wrap
 msgid ""
 "[certmap/my.domain/rule_name]\n"
@@ -4992,7 +5058,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:4348
+#: sssd.conf.5.xml:4354
 msgid ""
 "3. The following example shows the configuration for two certificate mapping "
 "rules. The first is valid for the configured domain <quote>my.domain</quote> "
@@ -5055,7 +5121,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:130
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:78
 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
 msgid "CONFIGURATION OPTIONS"
@@ -5156,7 +5222,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:132 sssd-ad.5.xml:288 sss_override.8.xml:143
+#: sssd-ldap.5.xml:132 sssd-ad.5.xml:303 sss_override.8.xml:143
 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
 msgid "Examples:"
 msgstr ""
@@ -5372,12 +5438,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:332
+#: sssd-ldap.5.xml:337
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:340
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -5385,7 +5451,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:346
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -5394,12 +5460,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:356
+#: sssd-ldap.5.xml:366
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:359
+#: sssd-ldap.5.xml:369
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5407,7 +5473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:366
+#: sssd-ldap.5.xml:376
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5417,7 +5483,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:375
+#: sssd-ldap.5.xml:385
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5427,34 +5493,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:384
+#: sssd-ldap.5.xml:394
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:393
+#: sssd-ldap.5.xml:403
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:398
+#: sssd-ldap.5.xml:413
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:404
+#: sssd-ldap.5.xml:419
 msgid "ldap_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:407
+#: sssd-ldap.5.xml:422
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:411 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
+#: sssd-ldap.5.xml:426 sssd-ipa.5.xml:403 sssd-ipa.5.xml:422 sssd-ipa.5.xml:441
 #: sssd-ipa.5.xml:460
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
@@ -5462,32 +5528,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ldap.5.xml:416 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
+#: sssd-ldap.5.xml:431 sssd-ipa.5.xml:408 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:438
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:428
+#: sssd-ldap.5.xml:443
 msgid "ldap_iphost_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:433
+#: sssd-ldap.5.xml:448
 msgid "ldap_ipnetwork_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:453
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:456
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5495,7 +5561,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:447
+#: sssd-ldap.5.xml:462
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5503,12 +5569,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:459
+#: sssd-ldap.5.xml:479
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:462
+#: sssd-ldap.5.xml:482
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5516,12 +5582,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:475
+#: sssd-ldap.5.xml:500
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:478
+#: sssd-ldap.5.xml:503
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5532,12 +5598,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:501
+#: sssd-ldap.5.xml:531
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:534
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5546,12 +5612,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:554
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:522
+#: sssd-ldap.5.xml:557
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5560,7 +5626,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:530
+#: sssd-ldap.5.xml:565
 msgid ""
 "If the connection is idle (not actively running an operation) within "
 "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
@@ -5571,36 +5637,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:577
 msgid ""
 "This timeout can be extended of a random value specified by "
 "<emphasis>ldap_connection_expire_offset</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547 sssd-ldap.5.xml:585 sssd-ldap.5.xml:1644
+#: sssd-ldap.5.xml:587 sssd-ldap.5.xml:630 sssd-ldap.5.xml:1699
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:593
 msgid "ldap_connection_expire_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:596
 msgid ""
 "Random offset between 0 and configured value is added to "
 "<emphasis>ldap_connection_expire_timeout</emphasis>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:612
 msgid "ldap_connection_idle_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:615
 msgid ""
 "Specifies a timeout (in seconds) that an idle connection to an LDAP server "
 "will be maintained.  If the connection is idle for more than this time then "
@@ -5608,29 +5674,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:621
 msgid "You can disable this timeout by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:591
+#: sssd-ldap.5.xml:636
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:639
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:605
+#: sssd-ldap.5.xml:650
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:653
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5638,14 +5704,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:614
+#: sssd-ldap.5.xml:659
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:620
+#: sssd-ldap.5.xml:665
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5653,17 +5719,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:632
+#: sssd-ldap.5.xml:677
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:635
+#: sssd-ldap.5.xml:680
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:638
+#: sssd-ldap.5.xml:683
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5673,12 +5739,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:653
+#: sssd-ldap.5.xml:698
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:701
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5686,17 +5752,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:662 sssd-ldap.5.xml:678
+#: sssd-ldap.5.xml:707 sssd-ldap.5.xml:723
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:714
 msgid "ldap_sasl_maxssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:717
 msgid ""
 "When communicating with an LDAP server using SASL, specify the maximal "
 "security level necessary to establish the connection. The values of this "
@@ -5704,12 +5770,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:730
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:688
+#: sssd-ldap.5.xml:733
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5717,7 +5783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:694
+#: sssd-ldap.5.xml:739
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0. "
 "Please note that there are some codepaths in SSSD, like the IPA HBAC "
@@ -5728,7 +5794,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:705
+#: sssd-ldap.5.xml:750
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5737,7 +5803,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:713
+#: sssd-ldap.5.xml:758
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5745,12 +5811,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:726
+#: sssd-ldap.5.xml:771
 msgid "ldap_ignore_unreadable_references (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:729
+#: sssd-ldap.5.xml:774
 msgid ""
 "Ignore unreadable LDAP entries referenced in group's member attribute. If "
 "this parameter is set to false an error will be returned and the operation "
@@ -5758,7 +5824,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:781
 msgid ""
 "This parameter may be useful when using the AD provider and the computer "
 "account that sssd uses to connect to AD does not have access to a particular "
@@ -5766,26 +5832,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:794
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:797
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:758
+#: sssd-ldap.5.xml:803
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:807
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5793,7 +5859,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:769
+#: sssd-ldap.5.xml:814
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5801,7 +5867,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:775
+#: sssd-ldap.5.xml:820
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5809,41 +5875,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:781
+#: sssd-ldap.5.xml:826
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:785
+#: sssd-ldap.5.xml:830
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:791
+#: sssd-ldap.5.xml:836
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:794
+#: sssd-ldap.5.xml:839
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799 sssd-ldap.5.xml:817 sssd-ldap.5.xml:858
+#: sssd-ldap.5.xml:844 sssd-ldap.5.xml:862 sssd-ldap.5.xml:903
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:806
+#: sssd-ldap.5.xml:851
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:809
+#: sssd-ldap.5.xml:854
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5852,32 +5918,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:869
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:827
+#: sssd-ldap.5.xml:872
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:837
+#: sssd-ldap.5.xml:882
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:840
+#: sssd-ldap.5.xml:885
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:849
+#: sssd-ldap.5.xml:894
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:852
+#: sssd-ldap.5.xml:897
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5885,24 +5951,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:865
+#: sssd-ldap.5.xml:910
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:868
+#: sssd-ldap.5.xml:913
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:878
+#: sssd-ldap.5.xml:923
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:881
+#: sssd-ldap.5.xml:926
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5910,17 +5976,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:887
+#: sssd-ldap.5.xml:932
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:897
+#: sssd-ldap.5.xml:942
 msgid "ldap_min_id, ldap_max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:900
+#: sssd-ldap.5.xml:945
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5931,24 +5997,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:957
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:918
+#: sssd-ldap.5.xml:963
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:921
+#: sssd-ldap.5.xml:966
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
 "tested and supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:925
+#: sssd-ldap.5.xml:970
 msgid ""
 "If the backend supports sub-domains the value of ldap_sasl_mech is "
 "automatically inherited to the sub-domains. If a different value is needed "
@@ -5959,12 +6025,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:941
+#: sssd-ldap.5.xml:986
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ldap.5.xml:953
+#: sssd-ldap.5.xml:998
 #, no-wrap
 msgid ""
 "hostname@REALM\n"
@@ -5977,7 +6043,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:944
+#: sssd-ldap.5.xml:989
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
 "this represents the Kerberos principal used for authentication to the "
@@ -5989,17 +6055,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:964
+#: sssd-ldap.5.xml:1009
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:970
+#: sssd-ldap.5.xml:1015
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:973
+#: sssd-ldap.5.xml:1018
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -6007,49 +6073,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1024
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:985
+#: sssd-ldap.5.xml:1030
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:988
+#: sssd-ldap.5.xml:1033
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1038
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:999
+#: sssd-ldap.5.xml:1044
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1047
 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1006 sssd-krb5.5.xml:247
+#: sssd-ldap.5.xml:1056 sssd-krb5.5.xml:247
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1012
+#: sssd-ldap.5.xml:1062
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1015
+#: sssd-ldap.5.xml:1065
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6057,28 +6123,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1027
+#: sssd-ldap.5.xml:1077
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1030
+#: sssd-ldap.5.xml:1080
 msgid ""
 "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1034 sssd-ad.5.xml:1229
+#: sssd-ldap.5.xml:1089 sssd-ad.5.xml:1244
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1095 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1098
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6090,7 +6156,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1055 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1110 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6098,7 +6164,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1060 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1115 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6106,39 +6172,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1069 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1124 sssd-ipa.5.xml:472 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1072
+#: sssd-ldap.5.xml:1127
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1076
+#: sssd-ldap.5.xml:1131
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1082 include/krb5_options.xml:145
+#: sssd-ldap.5.xml:1137 include/krb5_options.xml:154
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1085
+#: sssd-ldap.5.xml:1140
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:336
+#: sssd-ldap.5.xml:1152 sssd-krb5.5.xml:336
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100 sssd-krb5.5.xml:339
+#: sssd-ldap.5.xml:1155 sssd-krb5.5.xml:339
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6148,7 +6214,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1111 sssd-krb5.5.xml:350
+#: sssd-ldap.5.xml:1166 sssd-krb5.5.xml:350
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6156,26 +6222,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1180
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1128
+#: sssd-ldap.5.xml:1183
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1133
+#: sssd-ldap.5.xml:1188
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138
+#: sssd-ldap.5.xml:1193
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6184,7 +6250,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1146
+#: sssd-ldap.5.xml:1201
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6192,31 +6258,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1155
+#: sssd-ldap.5.xml:1210
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1218
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1221
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1170
+#: sssd-ldap.5.xml:1225
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1230
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6229,51 +6295,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1194
+#: sssd-ldap.5.xml:1249
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1197
+#: sssd-ldap.5.xml:1252
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1256
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1207
+#: sssd-ldap.5.xml:1262
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1210
+#: sssd-ldap.5.xml:1265
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1215
+#: sssd-ldap.5.xml:1270
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1221
+#: sssd-ldap.5.xml:1276
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1224
+#: sssd-ldap.5.xml:1279
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1230
+#: sssd-ldap.5.xml:1285
 msgid ""
 "It is recommend to set this option explicitly if \"ldap_pwd_policy = "
 "shadow\" is used to let SSSD know if the LDAP server will update "
@@ -6282,12 +6348,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1244
+#: sssd-ldap.5.xml:1299
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1247
+#: sssd-ldap.5.xml:1302
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6303,12 +6369,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1267
+#: sssd-ldap.5.xml:1322
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1270
+#: sssd-ldap.5.xml:1325
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6317,14 +6383,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1274
+#: sssd-ldap.5.xml:1329
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1279
+#: sssd-ldap.5.xml:1334
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6333,24 +6399,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1287 sssd-ldap.5.xml:1344
+#: sssd-ldap.5.xml:1342 sssd-ldap.5.xml:1399
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1348
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1296
+#: sssd-ldap.5.xml:1351
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1355
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6358,19 +6424,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1307
+#: sssd-ldap.5.xml:1362
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1310
+#: sssd-ldap.5.xml:1365
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1315
+#: sssd-ldap.5.xml:1370
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6379,7 +6445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1322
+#: sssd-ldap.5.xml:1377
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6387,7 +6453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1328
+#: sssd-ldap.5.xml:1383
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6396,7 +6462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1337
+#: sssd-ldap.5.xml:1392
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6404,22 +6470,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1350
+#: sssd-ldap.5.xml:1405
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1353
+#: sssd-ldap.5.xml:1408
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1357
+#: sssd-ldap.5.xml:1412
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1360
+#: sssd-ldap.5.xml:1415
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6429,14 +6495,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1370
+#: sssd-ldap.5.xml:1425
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1377
+#: sssd-ldap.5.xml:1432
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6449,12 +6515,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1394
+#: sssd-ldap.5.xml:1449
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1453
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6464,7 +6530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1463
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6474,63 +6540,63 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1471
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1420
+#: sssd-ldap.5.xml:1475
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1425
+#: sssd-ldap.5.xml:1480
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1430
+#: sssd-ldap.5.xml:1485
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1434
+#: sssd-ldap.5.xml:1489
 msgid ""
 "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
 "remote host can access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1493
 msgid ""
 "Please note, rhost field in pam is set by application, it is better to check "
 "what the application sends to pam, before enabling this access control option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1443
+#: sssd-ldap.5.xml:1498
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1446
+#: sssd-ldap.5.xml:1501
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1453
+#: sssd-ldap.5.xml:1508
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1456
+#: sssd-ldap.5.xml:1511
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6539,74 +6605,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1464
+#: sssd-ldap.5.xml:1519
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1467
+#: sssd-ldap.5.xml:1522
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1473
+#: sssd-ldap.5.xml:1528
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1476
+#: sssd-ldap.5.xml:1531
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1481
+#: sssd-ldap.5.xml:1536
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1485
+#: sssd-ldap.5.xml:1540
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1490
+#: sssd-ldap.5.xml:1545
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1495
+#: sssd-ldap.5.xml:1550
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1500
+#: sssd-ldap.5.xml:1555
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1508
+#: sssd-ldap.5.xml:1563
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1511
+#: sssd-ldap.5.xml:1566
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1515
+#: sssd-ldap.5.xml:1570
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6617,7 +6683,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1526
+#: sssd-ldap.5.xml:1581
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6625,48 +6691,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1538 sssd-ifp.5.xml:152
+#: sssd-ldap.5.xml:1593 sssd-ifp.5.xml:152
 msgid "wildcard_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1541
+#: sssd-ldap.5.xml:1596
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1600
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1549
+#: sssd-ldap.5.xml:1604
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1555
+#: sssd-ldap.5.xml:1610
 msgid "ldap_library_debug_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1613
 msgid ""
 "Switches on libldap debugging with the given level.  The libldap debug "
 "messages will be written independent of the general debug_level."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1563
+#: sssd-ldap.5.xml:1618
 msgid ""
 "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
 "enable full debug output."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1568
+#: sssd-ldap.5.xml:1623
 msgid "Default: 0 (libldap debugging disabled)"
 msgstr ""
 
@@ -6683,12 +6749,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1578
+#: sssd-ldap.5.xml:1633
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1635
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6696,43 +6762,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1591
+#: sssd-ldap.5.xml:1646
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1594
+#: sssd-ldap.5.xml:1649
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1599
+#: sssd-ldap.5.xml:1654
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1604
+#: sssd-ldap.5.xml:1659
 msgid ""
 "You can disable full refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1609
+#: sssd-ldap.5.xml:1664
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1615
+#: sssd-ldap.5.xml:1670
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1618
+#: sssd-ldap.5.xml:1673
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest "
@@ -6740,14 +6806,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1624
+#: sssd-ldap.5.xml:1679
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1683
 msgid ""
 "<emphasis>Note:</emphasis> the highest USN value can be updated by three "
 "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
@@ -6757,19 +6823,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1639
+#: sssd-ldap.5.xml:1694
 msgid ""
 "You can disable smart refresh by setting this option to 0. However, either "
 "smart or full refresh must be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1650
+#: sssd-ldap.5.xml:1705
 msgid "ldap_sudo_random_offset (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1653
+#: sssd-ldap.5.xml:1708
 msgid ""
 "Random offset between 0 and configured value is added to smart and full "
 "refresh periods each time the periodic task is scheduled. The value is in "
@@ -6777,7 +6843,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1659
+#: sssd-ldap.5.xml:1714
 msgid ""
 "Note that this random offset is also applied on the first SSSD start which "
 "delays the first sudo rules refresh. This prolongs the time when the sudo "
@@ -6785,106 +6851,106 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1665
+#: sssd-ldap.5.xml:1720
 msgid "You can disable this offset by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1675
+#: sssd-ldap.5.xml:1730
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1678
+#: sssd-ldap.5.xml:1733
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1689
+#: sssd-ldap.5.xml:1744
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1692
+#: sssd-ldap.5.xml:1747
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1697
+#: sssd-ldap.5.xml:1752
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1702 sssd-ldap.5.xml:1725 sssd-ldap.5.xml:1743
-#: sssd-ldap.5.xml:1761
+#: sssd-ldap.5.xml:1757 sssd-ldap.5.xml:1780 sssd-ldap.5.xml:1798
+#: sssd-ldap.5.xml:1816
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1707 sssd-ldap.5.xml:1730
+#: sssd-ldap.5.xml:1762 sssd-ldap.5.xml:1785
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1713
+#: sssd-ldap.5.xml:1768
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1716
+#: sssd-ldap.5.xml:1771
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1721
+#: sssd-ldap.5.xml:1776
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1736
+#: sssd-ldap.5.xml:1791
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1739
+#: sssd-ldap.5.xml:1794
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1809
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1757
+#: sssd-ldap.5.xml:1812
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
-#: sssd-ldap.5.xml:1767
+#: sssd-ldap.5.xml:1822
 msgid ""
 "Using wildcard is an operation that is very costly to evaluate on the LDAP "
 "server side!"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1779
+#: sssd-ldap.5.xml:1834
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6893,59 +6959,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1844
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1791
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1797
+#: sssd-ldap.5.xml:1852
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1855
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1803
+#: sssd-ldap.5.xml:1858
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1814
+#: sssd-ldap.5.xml:1869
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1821
+#: sssd-ldap.5.xml:1876
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1826
+#: sssd-ldap.5.xml:1881
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1831
+#: sssd-ldap.5.xml:1886
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:1836
+#: sssd-ldap.5.xml:1891
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:1838
+#: sssd-ldap.5.xml:1893
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6954,22 +7020,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:1845
+#: sssd-ldap.5.xml:1900
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1847
+#: sssd-ldap.5.xml:1902
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1852
+#: sssd-ldap.5.xml:1907
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1816
+#: sssd-ldap.5.xml:1871
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6978,14 +7044,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1867 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
-#: sssd-ad.5.xml:1363 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
+#: sssd-ldap.5.xml:1922 sssd-simple.5.xml:131 sssd-ipa.5.xml:871
+#: sssd-ad.5.xml:1378 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98
 #: sssd-files.5.xml:156 sssd-session-recording.5.xml:176
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1869
+#: sssd-ldap.5.xml:1924
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6993,7 +7059,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1875
+#: sssd-ldap.5.xml:1930
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7006,27 +7072,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:1874 sssd-ldap.5.xml:1892 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1371 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-ldap.5.xml:1929 sssd-ldap.5.xml:1947 sssd-simple.5.xml:139
+#: sssd-ipa.5.xml:879 sssd-ad.5.xml:1386 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
 #: sssd-files.5.xml:163 sssd-files.5.xml:174 sssd-session-recording.5.xml:182
 #: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1886
+#: sssd-ldap.5.xml:1941
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1943
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:1893
+#: sssd-ldap.5.xml:1948
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7042,13 +7108,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:1908 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1386 sssd.8.xml:238 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:1963 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1401 sssd.8.xml:238 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:1910
+#: sssd-ldap.5.xml:1965
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8054,7 +8120,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:131
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -9081,7 +9147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1158
+#: sssd-ipa.5.xml:128 sssd-ad.5.xml:1173
 msgid "dyndns_update (boolean)"
 msgstr ""
 
@@ -9096,7 +9162,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1172
+#: sssd-ipa.5.xml:140 sssd-ad.5.xml:1187
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -9111,12 +9177,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1183
+#: sssd-ipa.5.xml:157 sssd-ad.5.xml:1198
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1186
+#: sssd-ipa.5.xml:160 sssd-ad.5.xml:1201
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -9137,12 +9203,12 @@ msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1197
+#: sssd-ipa.5.xml:177 sssd-ad.5.xml:1212
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1200
+#: sssd-ipa.5.xml:180 sssd-ad.5.xml:1215
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -9166,17 +9232,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1211
+#: sssd-ipa.5.xml:197 sssd-ad.5.xml:1226
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1262
+#: sssd-ipa.5.xml:203 sssd-ad.5.xml:1277
 msgid "dyndns_auth (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1265
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1280
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "updates with the DNS server, insecure updates can be sent by setting this "
@@ -9184,17 +9250,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1271
+#: sssd-ipa.5.xml:212 sssd-ad.5.xml:1286
 msgid "Default: GSS-TSIG"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1277
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1292
 msgid "dyndns_auth_ptr (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1280
+#: sssd-ipa.5.xml:221 sssd-ad.5.xml:1295
 msgid ""
 "Whether the nsupdate utility should use GSS-TSIG authentication for secure "
 "PTR updates with the DNS server, insecure updates can be sent by setting "
@@ -9202,7 +9268,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1286
+#: sssd-ipa.5.xml:227 sssd-ad.5.xml:1301
 msgid "Default: Same as dyndns_auth"
 msgstr ""
 
@@ -9212,7 +9278,7 @@ msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:215
+#: sssd-ipa.5.xml:236 sssd-ad.5.xml:230
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
@@ -9229,7 +9295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1217
+#: sssd-ipa.5.xml:259 sssd-ad.5.xml:1232
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
@@ -9242,12 +9308,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1235
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1250
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1238
+#: sssd-ipa.5.xml:278 sssd-ad.5.xml:1253
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -9266,60 +9332,60 @@ msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1249
+#: sssd-ipa.5.xml:295 sssd-ad.5.xml:1264
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1252
+#: sssd-ipa.5.xml:298 sssd-ad.5.xml:1267
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1256
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1271
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1292
+#: sssd-ipa.5.xml:308 sssd-ad.5.xml:1307
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1295
+#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1310
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1300
+#: sssd-ipa.5.xml:316 sssd-ad.5.xml:1315
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1305
+#: sssd-ipa.5.xml:321 sssd-ad.5.xml:1320
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1310
+#: sssd-ipa.5.xml:326 sssd-ad.5.xml:1325
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1316
+#: sssd-ipa.5.xml:332 sssd-ad.5.xml:1331
 msgid "dyndns_update_per_family (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1319
+#: sssd-ipa.5.xml:335 sssd-ad.5.xml:1334
 msgid ""
 "DNS update is by default performed in two steps - IPv4 update and then IPv6 "
 "update. In some cases it might be desirable to perform IPv4 and IPv6 update "
@@ -9450,26 +9516,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1334
+#: sssd-ipa.5.xml:487 sssd-ad.5.xml:1349
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1337
+#: sssd-ipa.5.xml:490 sssd-ad.5.xml:1352
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1341
+#: sssd-ipa.5.xml:494 sssd-ad.5.xml:1356
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1345
+#: sssd-ipa.5.xml:498 sssd-ad.5.xml:1360
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -9488,7 +9554,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:576
+#: sssd-ipa.5.xml:515 sssd-ipa.5.xml:545 sssd-ipa.5.xml:561 sssd-ad.5.xml:591
 msgid "Default: 5 (seconds)"
 msgstr ""
 
@@ -10039,39 +10105,59 @@ msgid ""
 "LDAP implementation."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/"
+"windows-server/identity/ad-ds/manage/understand-security-groups\"> Active "
+"Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD forest. "
+"By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local domain. "
+"This is done to be in agreement with Active Directory's group-membership "
+"assignment which can be seen in the PAC of the Kerberos ticket of a user "
+"issued by Active Directory."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:123
+#: sssd-ad.5.xml:138
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:141
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:131
+#: sssd-ad.5.xml:146
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:136
+#: sssd-ad.5.xml:151
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:143
+#: sssd-ad.5.xml:158
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:146
+#: sssd-ad.5.xml:161
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -10079,7 +10165,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:156
+#: sssd-ad.5.xml:171
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -10087,7 +10173,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:152
+#: sssd-ad.5.xml:167
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -10095,19 +10181,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:160
+#: sssd-ad.5.xml:175
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:185
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:173
+#: sssd-ad.5.xml:188
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -10115,26 +10201,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:180
+#: sssd-ad.5.xml:195
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:185
+#: sssd-ad.5.xml:200
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:193
+#: sssd-ad.5.xml:208
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:196
+#: sssd-ad.5.xml:211
 msgid ""
 "Optional. On machines where the hostname(5) does not reflect the fully "
 "qualified name, sssd will try to expand the short name. If it is not "
@@ -10143,7 +10229,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:203
+#: sssd-ad.5.xml:218
 msgid ""
 "This field is used to determine the host principal in use in the keytab and "
 "to perform dynamic DNS updates. It must match the hostname for which the "
@@ -10151,12 +10237,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:212
+#: sssd-ad.5.xml:227
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:219
+#: sssd-ad.5.xml:234
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -10167,12 +10253,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:235
+#: sssd-ad.5.xml:250
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:238
+#: sssd-ad.5.xml:253
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -10181,7 +10267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:246
+#: sssd-ad.5.xml:261
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -10190,7 +10276,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:254
+#: sssd-ad.5.xml:269
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -10199,14 +10285,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:262
+#: sssd-ad.5.xml:277
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:267
+#: sssd-ad.5.xml:282
 msgid ""
 "Nested group membership must be searched for using a special OID "
 "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
@@ -10219,7 +10305,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:295
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -10228,7 +10314,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:306
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -10246,24 +10332,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:310
+#: sssd-ad.5.xml:325
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:313
+#: sssd-ad.5.xml:328
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:324
+#: sssd-ad.5.xml:339
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:327
+#: sssd-ad.5.xml:342
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -10272,7 +10358,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:335
+#: sssd-ad.5.xml:350
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -10281,12 +10367,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:349
+#: sssd-ad.5.xml:364
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:367
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -10296,7 +10382,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:361
+#: sssd-ad.5.xml:376
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to the host.  For more "
@@ -10305,7 +10391,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:369
+#: sssd-ad.5.xml:384
 msgid ""
 "Please note that current version of SSSD does not support Active Directory's "
 "built-in groups.  Built-in groups (such as Administrators with SID "
@@ -10314,7 +10400,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:378
+#: sssd-ad.5.xml:393
 msgid ""
 "Before performing access control SSSD applies group policy security "
 "filtering on the GPOs. For every single user login, the applicability of the "
@@ -10324,21 +10410,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:403
 msgid ""
 "Read: The user or one of its groups must have read access to the properties "
 "of the GPO (RIGHT_DS_READ_PROPERTY)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:395
+#: sssd-ad.5.xml:410
 msgid ""
 "Apply Group Policy: The user or at least one of its groups must be allowed "
 "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:403
+#: sssd-ad.5.xml:418
 msgid ""
 "By default, the Authenticated Users group is present on a GPO and this group "
 "has both Read and Apply Group Policy access rights. Since authentication of "
@@ -10348,7 +10434,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:412
+#: sssd-ad.5.xml:427
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -10363,23 +10449,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:431
+#: sssd-ad.5.xml:446
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:435
+#: sssd-ad.5.xml:450
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:441
+#: sssd-ad.5.xml:456
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:447
+#: sssd-ad.5.xml:462
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -10387,22 +10473,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:458
+#: sssd-ad.5.xml:473
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:461
+#: sssd-ad.5.xml:476
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:467
+#: sssd-ad.5.xml:482
 msgid "ad_gpo_implicit_deny (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:470
+#: sssd-ad.5.xml:485
 msgid ""
 "Normally when no applicable GPOs are found the users are allowed access. "
 "When this option is set to True users will be allowed access only when "
@@ -10413,7 +10499,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:501
 msgid ""
 "The following 2 tables should illustrate when a user is allowed or rejected "
 "based on the allow and deny login rights defined on the server-side and the "
@@ -10421,74 +10507,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:513
 msgid "ad_gpo_implicit_deny = False (default)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "allow-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:499 sssd-ad.5.xml:525
+#: sssd-ad.5.xml:514 sssd-ad.5.xml:540
 msgid "deny-rules"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:500 sssd-ad.5.xml:526
+#: sssd-ad.5.xml:515 sssd-ad.5.xml:541
 msgid "results"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:503 sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:529
-#: sssd-ad.5.xml:532 sssd-ad.5.xml:535
+#: sssd-ad.5.xml:518 sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:544
+#: sssd-ad.5.xml:547 sssd-ad.5.xml:550
 msgid "missing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:504
+#: sssd-ad.5.xml:519
 msgid "all users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
-#: sssd-ad.5.xml:506 sssd-ad.5.xml:509 sssd-ad.5.xml:512 sssd-ad.5.xml:532
-#: sssd-ad.5.xml:535 sssd-ad.5.xml:538
+#: sssd-ad.5.xml:521 sssd-ad.5.xml:524 sssd-ad.5.xml:527 sssd-ad.5.xml:547
+#: sssd-ad.5.xml:550 sssd-ad.5.xml:553
 msgid "present"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:522
 msgid "only users not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:510 sssd-ad.5.xml:536
+#: sssd-ad.5.xml:525 sssd-ad.5.xml:551
 msgid "only users in allow-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:513 sssd-ad.5.xml:539
+#: sssd-ad.5.xml:528 sssd-ad.5.xml:554
 msgid "only users in allow-rules and not in deny-rules are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
-#: sssd-ad.5.xml:524
+#: sssd-ad.5.xml:539
 msgid "ad_gpo_implicit_deny = True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
-#: sssd-ad.5.xml:530 sssd-ad.5.xml:533
+#: sssd-ad.5.xml:545 sssd-ad.5.xml:548
 msgid "no users are allowed"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:546
+#: sssd-ad.5.xml:561
 msgid "ad_gpo_ignore_unreadable (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:549
+#: sssd-ad.5.xml:564
 msgid ""
 "Normally when some group policy containers (AD object) of applicable group "
 "policy objects are not readable by SSSD then users are denied access.  This "
@@ -10498,12 +10584,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:581
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:569
+#: sssd-ad.5.xml:584
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -10511,12 +10597,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:582
+#: sssd-ad.5.xml:597
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:585
+#: sssd-ad.5.xml:600
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -10532,14 +10618,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:603
+#: sssd-ad.5.xml:618
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:617
+#: sssd-ad.5.xml:632
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -10547,7 +10633,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:608
+#: sssd-ad.5.xml:623
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10559,42 +10645,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:640
+#: sssd-ad.5.xml:655
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:660
+#: sssd-ad.5.xml:675
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:665
+#: sssd-ad.5.xml:680
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:670
+#: sssd-ad.5.xml:685
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:675
+#: sssd-ad.5.xml:690
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:680
+#: sssd-ad.5.xml:695
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:689
+#: sssd-ad.5.xml:704
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:692
+#: sssd-ad.5.xml:707
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -10610,7 +10696,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:711
+#: sssd-ad.5.xml:726
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -10618,7 +10704,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:726
+#: sssd-ad.5.xml:741
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -10626,7 +10712,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:717
+#: sssd-ad.5.xml:732
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10638,22 +10724,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:734
+#: sssd-ad.5.xml:749
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:739
+#: sssd-ad.5.xml:754
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:748
+#: sssd-ad.5.xml:763
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:751
+#: sssd-ad.5.xml:766
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -10669,7 +10755,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:769
+#: sssd-ad.5.xml:784
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -10677,7 +10763,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:799
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -10685,7 +10771,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:775
+#: sssd-ad.5.xml:790
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10697,22 +10783,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:792
+#: sssd-ad.5.xml:807
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:797
+#: sssd-ad.5.xml:812
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:806
+#: sssd-ad.5.xml:821
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:809
+#: sssd-ad.5.xml:824
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -10727,14 +10813,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:827
+#: sssd-ad.5.xml:842
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:841
+#: sssd-ad.5.xml:856
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -10742,7 +10828,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:832
+#: sssd-ad.5.xml:847
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10754,23 +10840,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:844
+#: sssd-ad.5.xml:859
 msgid ""
 "Note: Cron service name may differ depending on Linux distribution used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:865
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:859
+#: sssd-ad.5.xml:874
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:862
+#: sssd-ad.5.xml:877
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -10786,14 +10872,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:880
+#: sssd-ad.5.xml:895
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:893
+#: sssd-ad.5.xml:908
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -10801,7 +10887,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:885 sssd-ad.5.xml:960
+#: sssd-ad.5.xml:900 sssd-ad.5.xml:975
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -10812,19 +10898,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:903
+#: sssd-ad.5.xml:918
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:906
+#: sssd-ad.5.xml:921
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:920
+#: sssd-ad.5.xml:935
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -10832,7 +10918,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:911
+#: sssd-ad.5.xml:926
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -10844,29 +10930,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:928
+#: sssd-ad.5.xml:943
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:943
+#: sssd-ad.5.xml:958
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:952
+#: sssd-ad.5.xml:967
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:955
+#: sssd-ad.5.xml:970
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:968
+#: sssd-ad.5.xml:983
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10874,12 +10960,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:978
+#: sssd-ad.5.xml:993
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:981
+#: sssd-ad.5.xml:996
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10892,57 +10978,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1009
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:998
+#: sssd-ad.5.xml:1013
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1003
+#: sssd-ad.5.xml:1018
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1008
+#: sssd-ad.5.xml:1023
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1013
+#: sssd-ad.5.xml:1028
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1018
+#: sssd-ad.5.xml:1033
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1023
+#: sssd-ad.5.xml:1038
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:1028
+#: sssd-ad.5.xml:1043
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1034
+#: sssd-ad.5.xml:1049
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1040
+#: sssd-ad.5.xml:1055
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1043
+#: sssd-ad.5.xml:1058
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10950,17 +11036,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1049
+#: sssd-ad.5.xml:1064
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1055
+#: sssd-ad.5.xml:1070
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1058
+#: sssd-ad.5.xml:1073
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expects 2 integers separated by a colon (':'). The first integer "
@@ -10970,17 +11056,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1067
+#: sssd-ad.5.xml:1082
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1073
+#: sssd-ad.5.xml:1088
 msgid "ad_update_samba_machine_account_password (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1076
+#: sssd-ad.5.xml:1091
 msgid ""
 "If enabled, when SSSD renews the machine account password, it will also be "
 "updated in Samba's database. This prevents Samba's copy of the machine "
@@ -10989,12 +11075,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1089
+#: sssd-ad.5.xml:1104
 msgid "ad_use_ldaps (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1092
+#: sssd-ad.5.xml:1107
 msgid ""
 "By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
 "3628. If this option is set to True SSSD will use the LDAPS port 636 and "
@@ -11005,12 +11091,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:1109
+#: sssd-ad.5.xml:1124
 msgid "ad_allow_remote_domain_local_groups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1112
+#: sssd-ad.5.xml:1127
 msgid ""
 "If this option is set to <quote>true</quote> SSSD will not filter out Domain "
 "Local groups from remote domains in the AD forest. By default they are "
@@ -11021,7 +11107,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1122
+#: sssd-ad.5.xml:1137
 msgid ""
 "Please note that setting this option to <quote>true</quote> will be against "
 "the intention of Domain Local group in Active Directory and <emphasis>SHOULD "
@@ -11036,7 +11122,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1138
+#: sssd-ad.5.xml:1153
 msgid ""
 "Given the comments above, if this option is set to <quote>true</quote> the "
 "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</"
@@ -11048,7 +11134,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1161
+#: sssd-ad.5.xml:1176
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -11059,19 +11145,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1191
+#: sssd-ad.5.xml:1206
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1207
+#: sssd-ad.5.xml:1222
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:1220
+#: sssd-ad.5.xml:1235
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -11081,7 +11167,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1365
+#: sssd-ad.5.xml:1380
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -11089,7 +11175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1372
+#: sssd-ad.5.xml:1387
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -11104,7 +11190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1392
+#: sssd-ad.5.xml:1407
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -11113,7 +11199,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1388
+#: sssd-ad.5.xml:1403
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -11121,7 +11207,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1398
+#: sssd-ad.5.xml:1413
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -11131,7 +11217,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1406
+#: sssd-ad.5.xml:1421
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -16793,32 +16879,43 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:294
-msgid "NT Authority"
+msgid "Mandatory Label Authority"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
 #: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
 msgid "Built-in"
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:297
+#: include/ldap_id_mapping.xml:299
 msgid ""
 "The capitalized version of these names are used as domain names when "
 "returning the fully qualified name of a Well-Known SID."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: include/ldap_id_mapping.xml:301
+#: include/ldap_id_mapping.xml:303
 msgid ""
 "Since some utilities allow to modify SID based access control information "
 "with the help of a name instead of using the SID directly SSSD supports to "
 "look up the SID by the name as well. To avoid collisions only the fully "
 "qualified names can be used to look up Well-Known SIDs. As a result the "
 "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
-"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
-"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
-"names in <filename>sssd.conf</filename>."
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</"
+"quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be "
+"used as domain names in <filename>sssd.conf</filename>."
 msgstr ""
 
 #. type: Content of: <varlistentry><term>
@@ -17489,96 +17586,111 @@ msgid ""
 "as the last entry or the only entry in the keytab file."
 msgstr ""
 
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for "
+"details). If ticket validation is disabled the PAC checks will be skipped as "
+"well."
+msgstr ""
+
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:35
+#: include/krb5_options.xml:44
 msgid "krb5_renewable_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:38
+#: include/krb5_options.xml:47
 msgid ""
 "Request a renewable ticket with a total lifetime, given as an integer "
 "immediately followed by a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:43 include/krb5_options.xml:77
-#: include/krb5_options.xml:114
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
 msgid "<emphasis>s</emphasis> for seconds"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:46 include/krb5_options.xml:80
-#: include/krb5_options.xml:117
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
 msgid "<emphasis>m</emphasis> for minutes"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:49 include/krb5_options.xml:83
-#: include/krb5_options.xml:120
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
 msgid "<emphasis>h</emphasis> for hours"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:52 include/krb5_options.xml:86
-#: include/krb5_options.xml:123
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
 msgid "<emphasis>d</emphasis> for days."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:55 include/krb5_options.xml:126
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:59 include/krb5_options.xml:130
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
 msgid ""
 "NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
 "and a half hours, use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:64
+#: include/krb5_options.xml:73
 msgid "Default: not set, i.e. the TGT is not renewable"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:70
+#: include/krb5_options.xml:79
 msgid "krb5_lifetime (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:73
+#: include/krb5_options.xml:82
 msgid ""
 "Request ticket with a lifetime, given as an integer immediately followed by "
 "a time unit:"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:89
+#: include/krb5_options.xml:98
 msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:93
+#: include/krb5_options.xml:102
 msgid ""
 "NOTE: It is not possible to mix units.  To set the lifetime to one and a "
 "half hours please use '90m' instead of '1h30m'."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:98
+#: include/krb5_options.xml:107
 msgid ""
 "Default: not set, i.e. the default ticket lifetime configured on the KDC."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><term>
-#: include/krb5_options.xml:105
+#: include/krb5_options.xml:114
 msgid "krb5_renew_interval (string)"
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:108
+#: include/krb5_options.xml:117
 msgid ""
 "The time in seconds between two checks if the TGT should be renewed. TGTs "
 "are renewed if about half of their lifetime is exceeded, given as an integer "
@@ -17586,12 +17698,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:135
+#: include/krb5_options.xml:144
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
-#: include/krb5_options.xml:148
+#: include/krb5_options.xml:157
 msgid ""
 "Specifies if the host and user principal should be canonicalized. This "
 "feature is available with MIT Kerberos 1.7 and later versions."