diff --git a/po/LINGUAS b/po/LINGUAS
index 724bb868bf4..ef829f339a7 100644
--- a/po/LINGUAS
+++ b/po/LINGUAS
@@ -27,3 +27,4 @@ ko
 ka
 lv
 br
+ro
diff --git a/po/es.po b/po/es.po
index be4e08071d7..f05d4d5e643 100644
--- a/po/es.po
+++ b/po/es.po
@@ -23,9 +23,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
 "POT-Creation-Date: 2026-01-14 14:57+0000\n"
-"PO-Revision-Date: 2026-04-23 16:39+0000\n"
-"Last-Translator: Weblate Translation Memory <noreply-mt-weblate-translation-"
-"memory@weblate.org>\n"
+"PO-Revision-Date: 2026-05-18 09:00+0000\n"
+"Last-Translator: \"Fco. Javier F. Serrador\" <fserrador@gmail.com>\n"
 "Language-Team: Spanish <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-master/es/>\n"
 "Language: es\n"
@@ -33,7 +32,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 2026.5\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
 #: src/config/SSSDConfig/sssdoptions.py:21
@@ -417,7 +416,7 @@ msgstr ""
 
 #: src/config/SSSDConfig/sssdoptions.py:113
 msgid "Allow passkey device authentication."
-msgstr "Permitir la autentificación del dispositivo con clave de acceso."
+msgstr "Permitir la autenticación del dispositivo con clave de acceso."
 
 #: src/config/SSSDConfig/sssdoptions.py:114
 msgid "How many seconds will pam_sss wait for passkey_child to finish"
diff --git a/po/fr.po b/po/fr.po
index 4f36b648661..ad6c4de2307 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -15,13 +15,14 @@
 # Transtats <suanand@redhat.com>, 2022, 2026.
 # grimst <grimaitres@gmail.com>, 2023, 2026.
 # Léane GRASSER <leane.grasser@proton.me>, 2024, 2025, 2026.
+# Mattia Sasselli <mattia.sasselli@murena.io>, 2026.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
 "POT-Creation-Date: 2026-01-14 14:57+0000\n"
-"PO-Revision-Date: 2026-04-23 17:00+0000\n"
-"Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n"
+"PO-Revision-Date: 2026-06-08 07:01+0000\n"
+"Last-Translator: Mattia Sasselli <mattia.sasselli@murena.io>\n"
 "Language-Team: French <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-master/fr/>\n"
 "Language: fr\n"
@@ -29,7 +30,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n > 1;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 2026.6.1\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
 #: src/config/SSSDConfig/sssdoptions.py:21
@@ -148,8 +149,8 @@ msgid ""
 "Controls if SSSD should monitor the state of resolv.conf to identify when it "
 "needs to update its internal DNS resolver."
 msgstr ""
-"Contrôle si le SSSD doit surveiller l'état de resolv.conf pour identifier "
-"quand il doit mettre à jour son résolveur DNS interne."
+"Contrôle si SSSD doit surveiller l'état de resolv.conf pour identifier quand "
+"il doit mettre à jour son résolveur DNS interne."
 
 #: src/config/SSSDConfig/sssdoptions.py:50
 msgid ""
@@ -513,10 +514,10 @@ msgid ""
 "Matches user names as returned by NSS. I.e. after the possible space "
 "replacement, case changes, etc."
 msgstr ""
-"Une liste d'utilisateurs, séparés par des virgules, dont l'enregistrement de "
-"session devrait être activé. Correspond aux noms d'utilisateurs renvoyés par "
-"le NSS. C'est-à-dire après le remplacement éventuel de l'espace, les "
-"changements de casse, etc."
+"Liste d'utilisateurs, séparés par des virgules, pour lesquels "
+"l'enregistrement de session doit être activé. Les noms d'utilisateur doivent "
+"correspondre à ceux renvoyés par NSS, c'est-à-dire après les éventuelles "
+"modifications d'espaces, de casse, etc."
 
 #: src/config/SSSDConfig/sssdoptions.py:150
 msgid ""
@@ -524,10 +525,10 @@ msgid ""
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
 "possible space replacement, case changes, etc."
 msgstr ""
-"Une liste de groupes séparés par des virgules, dont les membres doivent "
-"avoir l'enregistrement de session activé. Correspond aux noms des groupes "
-"renvoyés par le NSS, c-à-d après le remplacement éventuel de l'espace, les "
-"changements de cas, etc."
+"Liste de groupes, séparés par des virgules, dont les membres doivent avoir "
+"l'enregistrement de session activé. Les noms de groupes doivent correspondre "
+"à ceux renvoyés par NSS, c'est-à-dire après les éventuelles modifications "
+"d'espaces, de casse, etc."
 
 #: src/config/SSSDConfig/sssdoptions.py:153
 msgid ""
@@ -820,11 +821,11 @@ msgid ""
 "this value determines the minimal length the first authentication factor "
 "(long term password) must have to be saved as SHA512 hash into the cache."
 msgstr ""
-"Si l'authentification à 2 facteurs (2FA) est utilisée et que les "
-"informations d'identification sont sauvegardées, cette valeur détermine la "
-"longueur minimale à laquelle le premier facteur d'authentification (mot de "
-"passe à long terme) doit être sauvegardé en tant que hachage SHA512 dans le "
-"cache."
+"Si l'authentification à deux facteurs (2FA) est utilisée et que les "
+"informations d'identification doivent être enregistrées, cette valeur "
+"détermine la longueur minimale que le premier facteur d'authentification "
+"(mot de passe à long terme) doit avoir pour être enregistré sous forme de "
+"hachage SHA512 dans le cache."
 
 #: src/config/SSSDConfig/sssdoptions.py:230
 msgid "Local authentication methods policy "
diff --git a/po/id.po b/po/id.po
index 05dd4f0218b..ca9da4d77d1 100644
--- a/po/id.po
+++ b/po/id.po
@@ -3,13 +3,14 @@
 # This file is distributed under the same license as the PACKAGE package.
 #
 # Translators:
+# Glenn Mandagi <s21710491@student.unklab.ac.id>, 2026.
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
 "POT-Creation-Date: 2026-01-14 14:57+0000\n"
-"PO-Revision-Date: 2026-04-23 16:47+0000\n"
-"Last-Translator: Anonymous <noreply@weblate.org>\n"
+"PO-Revision-Date: 2026-05-08 05:45+0000\n"
+"Last-Translator: Glenn Mandagi <s21710491@student.unklab.ac.id>\n"
 "Language-Team: Indonesian <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-master/id/>\n"
 "Language: id\n"
@@ -17,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 5.17.1\n"
 
 #: src/config/SSSDConfig/sssdoptions.py:20
 #: src/config/SSSDConfig/sssdoptions.py:21
@@ -30,11 +31,11 @@ msgstr "Sertakan cap waktu di pencatatan debug"
 
 #: src/config/SSSDConfig/sssdoptions.py:23
 msgid "Include microseconds in timestamps in debug logs"
-msgstr ""
+msgstr "Sertakan mikrosekon dalam timestamp di log debug."
 
 #: src/config/SSSDConfig/sssdoptions.py:24
 msgid "Enable/disable debug backtrace"
-msgstr ""
+msgstr "Aktifkan/nonaktifkan debug backtrace"
 
 #: src/config/SSSDConfig/sssdoptions.py:25
 msgid "Watchdog timeout before restarting service"
diff --git a/po/ro.po b/po/ro.po
new file mode 100644
index 00000000000..c0a44168316
--- /dev/null
+++ b/po/ro.po
@@ -0,0 +1,3242 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR Red Hat, Inc.
+# This file is distributed under the same license as the PACKAGE package.
+# Petru Rebeja <petru@rebeja.eu>, 2026.
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n"
+"POT-Creation-Date: 2026-01-14 14:57+0000\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: Automatically generated\n"
+"Language-Team: none\n"
+"Language: ro\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < "
+"20)) ? 1 : 2;\n"
+
+#: src/config/SSSDConfig/sssdoptions.py:20
+#: src/config/SSSDConfig/sssdoptions.py:21
+msgid "Set the verbosity of the debug logging"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:22
+msgid "Include timestamps in debug logs"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:23
+msgid "Include microseconds in timestamps in debug logs"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:24
+msgid "Enable/disable debug backtrace"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:25
+msgid "Watchdog timeout before restarting service"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:26
+msgid "Command to start service"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:27
+msgid "The number of file descriptors that may be opened by this responder"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:28
+msgid "Idle time before automatic disconnection of a client"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:29
+msgid "Idle time before automatic shutdown of the responder"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:30
+msgid "Always query all the caches before querying the Data Providers"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:31
+msgid ""
+"When SSSD switches to offline mode the amount of time before it tries to go "
+"back online will increase based upon the time spent disconnected. This value "
+"is in seconds and calculated by the following: offline_timeout + "
+"random_offset."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:36
+msgid "SSSD Services to start"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:37
+msgid "SSSD Domains to start"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:38
+msgid "Regex to parse username and domain"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:39
+msgid "Printf-compatible format for displaying fully-qualified names"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:40
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:41
+msgid "Domain to add to names without a domain component."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:42
+msgid "The user to drop privileges to"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:43
+msgid "Tune certificate verification"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:44
+msgid "All spaces in group or user names will be replaced with this character"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:45
+msgid "Tune sssd to honor or ignore netlink state changes"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:46
+msgid "Enable or disable the implicit files domain"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:47
+msgid "A specific order of the domains to be looked up"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:48
+msgid ""
+"Controls if SSSD should monitor the state of resolv.conf to identify when it "
+"needs to update its internal DNS resolver."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:50
+msgid ""
+"SSSD monitors the state of resolv.conf to identify when it needs to update "
+"its internal DNS resolver. By default, we will attempt to use inotify for "
+"this, and will fall back to polling resolv.conf every five seconds if "
+"inotify cannot be used."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:53
+msgid "Run PAC responder automatically for AD and IPA provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:54
+msgid "Enable or disable core dumps for all SSSD processes."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:55
+msgid "Tune passkey verification behavior"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:58
+msgid "Enumeration cache timeout length (seconds)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:59
+msgid "Entry cache background update timeout length (seconds)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:60
+#: src/config/SSSDConfig/sssdoptions.py:125
+msgid "Negative cache timeout length (seconds)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:61
+msgid "Users that SSSD should explicitly ignore"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:62
+msgid "Groups that SSSD should explicitly ignore"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:63
+msgid "Should filtered users appear in groups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:64
+msgid "The value of the password field the NSS provider should return"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:65
+msgid "Override homedir value from the identity provider with this value"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:66
+msgid ""
+"Substitute empty homedir value from the identity provider with this value"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:67
+msgid "Override shell value from the identity provider with this value"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:68
+msgid "The list of shells users are allowed to log in with"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:69
+msgid ""
+"The list of shells that will be vetoed, and replaced with the fallback shell"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:70
+msgid ""
+"If a shell stored in central directory is allowed but not available, use "
+"this fallback"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:71
+msgid "Shell to use if the provider does not list one"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:72
+msgid "How long will be in-memory cache records valid"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:74
+msgid ""
+"Size (in megabytes) of the data table allocated inside fast in-memory cache "
+"for passwd requests"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:76
+msgid ""
+"Size (in megabytes) of the data table allocated inside fast in-memory cache "
+"for group requests"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:78
+msgid ""
+"Size (in megabytes) of the data table allocated inside fast in-memory cache "
+"for initgroups requests"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:79
+msgid ""
+"The value of this option will be used in the expansion of the "
+"override_homedir option if the template contains the format string %H."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:81
+msgid ""
+"Specifies time in seconds for which the list of subdomains will be "
+"considered valid."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:83
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:88
+msgid "How long to allow cached logins between online logins (days)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:89
+msgid "How many failed logins attempts are allowed when offline"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:91
+msgid ""
+"How long (minutes) to deny login after offline_failed_login_attempts has "
+"been reached"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:92
+msgid "What kind of messages are displayed to the user during authentication"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:93
+msgid "Filter PAM responses sent to the pam_sss"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:94
+msgid "How many seconds to keep identity information cached for PAM requests"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:95
+msgid "How many days before password expiration a warning should be displayed"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:96
+msgid "List of trusted uids or user's name"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:97
+msgid "List of domains accessible even for untrusted users."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:98
+msgid "Message printed when user account is expired."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:99
+msgid "Message printed when user account is locked."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:100
+msgid "Allow certificate based/Smartcard authentication."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:101
+msgid "Path to certificate database with PKCS#11 modules."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:102
+msgid "Tune certificate verification for PAM authentication."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:103
+msgid "How many seconds will pam_sss wait for p11_child to finish"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:104
+msgid "Which PAM services are permitted to contact application domains"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:105
+msgid "Allowed services for using smartcards"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:106
+msgid "Additional timeout to wait for a card if requested"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:107
+msgid ""
+"PKCS#11 URI to restrict the selection of devices for Smartcard authentication"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:108
+msgid "When shall the PAM responder force an initgroups request"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:109
+msgid "List of PAM services that are allowed to authenticate with GSSAPI."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:110
+msgid "Whether to match authenticated UPN with target user"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:111
+msgid ""
+"List of pairs <PAM service>:<authentication indicator> that must be enforced "
+"for PAM access with GSSAPI authentication"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:113
+msgid "Allow passkey device authentication."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:114
+msgid "How many seconds will pam_sss wait for passkey_child to finish"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:115
+msgid "Enable debugging in the libfido2 library"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:116
+msgid "Enable JSON protocol for authentication methods selection."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:119
+msgid "Whether to evaluate the time-based attributes in sudo rules"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:120
+msgid "If true, SSSD will switch back to lower-wins ordering logic"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:121
+msgid ""
+"Maximum number of rules that can be refreshed at once. If this is exceeded, "
+"full refresh is performed."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:128
+msgid "Whether to hash host names and addresses in the known_hosts file"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:129
+msgid ""
+"How many seconds to keep a host in the known_hosts file after its host keys "
+"were requested"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:131
+msgid "Path to storage of trusted CA certificates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:132
+msgid "Allow to generate ssh-keys from certificates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:133
+msgid ""
+"Use the following matching rules to filter the certificates for ssh-key "
+"generation"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:137
+msgid "List of UIDs or user names allowed to access the PAC responder"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:138
+msgid "How long the PAC data is considered valid"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:139
+msgid "Validate the PAC"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:142
+msgid "List of user attributes the InfoPipe is allowed to publish"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:145
+msgid ""
+"One of the following strings specifying the scope of session recording: none "
+"- No users are recorded. some - Users/groups specified by users and groups "
+"options are recorded. all - All users are recorded."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:148
+msgid ""
+"A comma-separated list of users which should have session recording enabled. "
+"Matches user names as returned by NSS. I.e. after the possible space "
+"replacement, case changes, etc."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:150
+msgid ""
+"A comma-separated list of groups, members of which should have session "
+"recording enabled. Matches group names as returned by NSS. I.e. after the "
+"possible space replacement, case changes, etc."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:153
+msgid ""
+"A comma-separated list of users to be excluded from recording, only when "
+"scope=all"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:154
+msgid ""
+"A comma-separated list of groups, members of which should be excluded from "
+"recording,  only when scope=all. "
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:158
+msgid "Identity provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:159
+msgid "Authentication provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:160
+msgid "Access control provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:161
+msgid "Password change provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:162
+msgid "SUDO provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:163
+msgid "Autofs provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:164
+msgid "Host identity provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:165
+msgid "SELinux provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:166
+msgid "Session management provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:167
+msgid "Resolver provider"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:170
+msgid "Whether the domain is usable by the OS or by applications"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:171
+msgid "Enable or disable the domain"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:172
+msgid "Minimum user ID"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:173
+msgid "Maximum user ID"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:174
+msgid "Enable enumerating all users/groups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:175
+msgid "Cache credentials for offline login"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:176
+msgid "Display users/groups in fully-qualified form"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:177
+msgid "Don't include group members in group lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:178
+#: src/config/SSSDConfig/sssdoptions.py:190
+#: src/config/SSSDConfig/sssdoptions.py:191
+#: src/config/SSSDConfig/sssdoptions.py:192
+#: src/config/SSSDConfig/sssdoptions.py:193
+#: src/config/SSSDConfig/sssdoptions.py:194
+#: src/config/SSSDConfig/sssdoptions.py:195
+#: src/config/SSSDConfig/sssdoptions.py:196
+msgid "Entry cache timeout length (seconds)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:179
+msgid ""
+"Restrict or prefer a specific address family when performing DNS lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:180
+msgid "How long to keep cached entries after last successful login (days)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:181
+msgid ""
+"How long should SSSD talk to single DNS server before trying next server "
+"(miliseconds)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:183
+msgid "How long should keep trying to resolve single DNS query (seconds)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:184
+msgid "How long to wait for replies from DNS when resolving servers (seconds)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:185
+msgid "The domain part of service discovery DNS query"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:186
+msgid ""
+"Specifies the interval, in seconds, that SSSD waits before attempting to "
+"reconnect to the primary server after a successful connection to the backup "
+"server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:188
+msgid "Override GID value from the identity provider with this value"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:189
+msgid "Treat usernames as case sensitive"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:197
+msgid "How often should expired entries be refreshed in background"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:198
+msgid "Maximum period deviation when refreshing expired entries in background"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:199
+msgid "Whether to automatically update the client's DNS entry"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:200
+msgid ""
+"Whether DNS update of A and AAAA record should be performed in one update or "
+"in two separate updates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:202
+msgid "The TTL to apply to the client's DNS entry after updating it"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:203
+msgid "The interface whose IP should be used for dynamic DNS updates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:204
+msgid "The list of IP addresses that should be used for dynamic DNS updates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:205
+msgid "How often to periodically update the client's DNS entry"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:206
+msgid "Maximum period deviation when updating the client's DNS entry"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:207
+msgid "Whether the provider should explicitly update the PTR record as well"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:208
+msgid "Whether the nsupdate utility should default to using TCP"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:209
+msgid "What kind of authentication should be used to perform the DNS update"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:210
+msgid "Override the DNS server used to perform the DNS update"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:211
+msgid "The file of the certificate authorities certificates for DoT"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:212
+msgid "The certificate(s) file for authentication for the DoT transport"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:213
+msgid "The key file for authenticated encryption for the DoT transport"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:214
+msgid "How often should subdomains list be refreshed"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:215
+msgid "Maximum period deviation when refreshing the subdomain list"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:216
+msgid "List of options that should be inherited into a subdomain"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:217
+msgid "Default subdomain homedir value"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:218
+msgid "How long can cached credentials be used for cached authentication"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:219
+msgid "Whether to automatically create private groups for users"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:220
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:221
+msgid ""
+"Various tags stored by the realmd configuration service for this domain."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:222
+msgid ""
+"The provider which should handle fetching of subdomains. This value should "
+"be always the same as id_provider."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:224
+msgid ""
+"How many seconds to keep a host ssh key after refresh. IE how long to cache "
+"the host key for."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:226
+msgid ""
+"If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+"this value determines the minimal length the first authentication factor "
+"(long term password) must have to be saved as SHA512 hash into the cache."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:230
+msgid "Local authentication methods policy "
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:233
+msgid "IPA domain"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:234
+msgid "IPA server address"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:235
+msgid "Address of backup IPA server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:236
+msgid "IPA client hostname"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:237
+msgid "Search base for HBAC related objects"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:238
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:239
+msgid ""
+"The amount of time in seconds between lookups of the SELinux maps against "
+"the IPA server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:241
+msgid "If set to false, host argument given by PAM will be ignored"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:242
+msgid "The automounter location this IPA client is using"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:243
+msgid "Search base for object containing info about IPA domain"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:244
+msgid "Search base for objects containing info about ID ranges"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:245
+msgid "Search base for view containers"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:246
+msgid "Objectclass for view containers"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:247
+msgid "Attribute with the name of the view"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:248
+msgid "Objectclass for override objects"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:249
+msgid "Attribute with the reference to the original object"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:250
+msgid "Objectclass for user override objects"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:251
+msgid "Objectclass for group override objects"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:252
+msgid "Search base for Desktop Profile related objects"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:253
+msgid ""
+"The amount of time in seconds between lookups of the Desktop Profile rules "
+"against the IPA server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:255
+msgid ""
+"The amount of time in minutes between lookups of Desktop Profiles rules "
+"against the IPA server when the last request did not find any rule"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:258
+#: src/config/SSSDConfig/sssdoptions.py:455
+msgid "Search base for SUBID ranges"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:259
+#: src/config/SSSDConfig/sssdoptions.py:506
+msgid "Which rules should be used to evaluate access control"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:260
+msgid "The LDAP attribute that contains FQDN of the host."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:261
+#: src/config/SSSDConfig/sssdoptions.py:284
+msgid "The object class of a host entry in LDAP."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:262
+msgid "Use the given string as search base for host objects."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:263
+msgid "The LDAP attribute that contains the host's SSH public keys."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:264
+msgid "The LDAP attribute that contains NIS domain name of the netgroup."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:265
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:266
+msgid ""
+"The LDAP attribute that lists FQDNs of hosts and host groups that are "
+"members of the netgroup."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:268
+msgid ""
+"The LDAP attribute that lists hosts and host groups that are direct members "
+"of the netgroup."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:270
+msgid "The LDAP attribute that lists netgroup's memberships."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:271
+msgid ""
+"The LDAP attribute that lists system users and groups that are direct "
+"members of the netgroup."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:273
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:274
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:275
+msgid ""
+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:276
+msgid ""
+"The LDAP attribute that contains whether or not is user map enabled for "
+"usage."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:278
+msgid "The LDAP attribute that contains host category such as 'all'."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:279
+msgid ""
+"The LDAP attribute that contains all hosts / hostgroups this rule match "
+"against."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:281
+msgid ""
+"The LDAP attribute that contains all users / groups this rule match against."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:283
+msgid "The LDAP attribute that contains the name of SELinux usermap."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:285
+msgid ""
+"The LDAP attribute that contains DN of HBAC rule which can be used for "
+"matching instead of memberUser and memberHost."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:287
+msgid "The LDAP attribute that contains SELinux user string itself."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:288
+msgid "The LDAP attribute that contains user category such as 'all'."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:289
+msgid "The LDAP attribute that contains unique ID of the user map."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:290
+msgid ""
+"The option denotes that the SSSD is running on IPA server and should perform "
+"lookups of users and groups from trusted domains differently."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:292
+msgid "Use the given string as search base for trusted domains."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:295
+msgid "Active Directory domain"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:296
+msgid "Enabled Active Directory domains"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:297
+msgid "Active Directory server address"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:298
+msgid "Active Directory backup server address"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:299
+msgid "Active Directory client hostname"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:300
+msgid "Enable DNS sites - location based service discovery"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:301
+#: src/config/SSSDConfig/sssdoptions.py:504
+msgid "LDAP filter to determine access privileges"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:302
+msgid "Whether to use the Global Catalog for lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:303
+msgid "Operation mode for GPO-based access control"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:304
+msgid ""
+"The amount of time between lookups of the GPO policy files against the AD "
+"server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:305
+msgid ""
+"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy "
+"settings"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:307
+msgid ""
+"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight "
+"policy settings"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:309
+msgid ""
+"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:310
+msgid ""
+"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:311
+msgid ""
+"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:312
+msgid "PAM service names for which GPO-based access is always granted"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:313
+msgid "PAM service names for which GPO-based access is always denied"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:314
+msgid ""
+"Default logon right (or permit/deny) to use for unmapped PAM service names"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:315
+msgid "a particular site to be used by the client"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:316
+msgid ""
+"Maximum age in days before the machine account password should be renewed"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:318
+msgid "Option for tuning the machine account renewal task"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:319
+msgid "Whether to update the machine account password in the Samba database"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:321
+msgid "Use LDAPS port for LDAP and Global Catalog requests"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:324
+#: src/config/SSSDConfig/sssdoptions.py:325
+msgid "Kerberos server address"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:326
+msgid "Kerberos backup server address"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:327
+msgid "Kerberos realm"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:328
+msgid "Authentication timeout"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:329
+msgid "Whether to create kdcinfo files"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:330
+msgid "Where to drop krb5 config snippets"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:333
+msgid "Directory to store credential caches"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:334
+msgid "Location of the user's credential cache"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:335
+msgid "Location of the keytab to validate credentials"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:336
+msgid "Enable credential validation"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:337
+msgid "Store password if offline for later online authentication"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:338
+msgid "Renewable lifetime of the TGT"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:339
+msgid "Lifetime of the TGT"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:340
+msgid "Time between two checks for renewal"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:341
+msgid "Enables FAST"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:342
+msgid "Selects the principal to use for FAST"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:343
+msgid "Use anonymous PKINIT to request FAST credentials"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:344
+msgid "Enables principal canonicalization"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:345
+msgid "Enables enterprise principals"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:346
+msgid "Enables using of subdomains realms for authentication"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:347
+msgid "A mapping from user names to Kerberos principal names"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:350
+#: src/config/SSSDConfig/sssdoptions.py:351
+msgid "Server where the change password service is running if not on the KDC"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:354
+msgid "ldap_uri, The URI of the LDAP server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:355
+msgid "ldap_backup_uri, The URI of the LDAP server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:356
+msgid "The default base DN"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:357
+msgid "How to read rootDSE from LDAP server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:358
+msgid "The Schema Type in use on the LDAP server, rfc2307"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:359
+msgid "Mode used to change user password"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:360
+msgid "The default bind DN"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:361
+msgid "The type of the authentication token of the default bind DN"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:362
+msgid "The authentication token of the default bind DN"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:363
+msgid "Length of time to attempt connection"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:364
+msgid "Length of time to attempt synchronous LDAP operations"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:365
+msgid "Length of time between attempts to reconnect while offline"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:366
+msgid "Use only the upper case for realm names"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:367
+msgid "File that contains CA certificates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:368
+msgid "Path to CA certificate directory"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:369
+msgid "File that contains the client certificate"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:370
+msgid "File that contains the client key"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:371
+msgid "List of possible ciphers suites"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:372
+msgid "Require TLS certificate verification"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:373
+msgid "Specify the sasl mechanism to use"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:374
+msgid "Specify the sasl authorization id to use"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:375
+msgid "Specify the sasl authorization realm to use"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:376
+msgid "Specify the minimal SSF for LDAP sasl authorization"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:377
+msgid "Specify the maximal SSF for LDAP sasl authorization"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:378
+msgid "Kerberos service keytab"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:379
+msgid "Use Kerberos auth for LDAP connection"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:380
+msgid "Follow LDAP referrals"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:381
+msgid "Lifetime of TGT for LDAP connection"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:382
+msgid "How to dereference aliases"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:383
+msgid "Service name for DNS service lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:384
+msgid "The number of records to retrieve in a single LDAP query"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:385
+msgid "The number of members that must be missing to trigger a full deref"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:386
+msgid "Ignore unreadable LDAP references"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:387
+msgid ""
+"Whether the LDAP library should perform a reverse lookup to canonicalize the "
+"host name during a SASL bind"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:389
+msgid ""
+"Allows to retain local users as members of an LDAP group for servers that "
+"use the RFC2307 schema."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:392
+msgid "entryUSN attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:393
+msgid "lastUSN attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:395
+msgid "How long to retain a connection to the LDAP server before disconnecting"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:398
+msgid "Disable the LDAP paging control"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:399
+msgid "Disable Active Directory range retrieval"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:400
+msgid "Use the ppolicy extension"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:401
+msgid ""
+"Force a password change when remaining grace logins reach or go below this "
+"threshold"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:404
+msgid "Length of time to wait for a search request"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:405
+msgid "Length of time to wait for a enumeration request"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:406
+msgid "Length of time between enumeration updates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:407
+msgid "Maximum period deviation between enumeration updates"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:408
+msgid "Length of time between cache cleanups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:409
+msgid "Maximum time deviation between cache cleanups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:410
+msgid "Require TLS for ID lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:411
+msgid "Use ID-mapping of objectSID instead of pre-set IDs"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:412
+msgid "Base DN for user lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:413
+msgid "Scope of user lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:414
+msgid "Filter for user lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:415
+msgid "Objectclass for users"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:416
+msgid "Username attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:417
+msgid "UID attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:418
+msgid "Primary GID attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:419
+msgid "GECOS attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:420
+msgid "Home directory attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:421
+msgid "Shell attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:422
+msgid "UUID attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:423
+#: src/config/SSSDConfig/sssdoptions.py:464
+msgid "objectSID attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:424
+msgid "Active Directory primary group attribute for ID-mapping"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:425
+msgid "User principal attribute (for Kerberos)"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:426
+msgid "Full Name"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:427
+msgid "memberOf attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:428
+msgid "Modification time attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:429
+msgid "shadowLastChange attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:430
+msgid "shadowMin attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:431
+msgid "shadowMax attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:432
+msgid "shadowWarning attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:433
+msgid "shadowInactive attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:434
+msgid "shadowExpire attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:435
+msgid "shadowFlag attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:436
+msgid "Attribute listing authorized PAM services"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:437
+msgid "Attribute listing authorized server hosts"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:438
+msgid "Attribute listing authorized server rhosts"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:439
+msgid "krbLastPwdChange attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:440
+msgid "krbPasswordExpiration attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:441
+msgid "Attribute indicating that server side password policies are active"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:442
+msgid "accountExpires attribute of AD"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:443
+msgid "userAccountControl attribute of AD"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:444
+msgid "nsAccountLock attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:445
+msgid "loginDisabled attribute of NDS"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:446
+msgid "loginExpirationTime attribute of NDS"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:447
+msgid "loginAllowedTimeMap attribute of NDS"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:448
+msgid "SSH public key attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:449
+msgid "attribute listing allowed authentication types for a user"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:450
+msgid "attribute containing the X509 certificate of the user"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:451
+msgid "attribute containing the email address of the user"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:452
+msgid "attribute containing the passkey mapping data of the user"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:453
+msgid "A list of extra attributes to download along with the user entry"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:457
+msgid "Base DN for group lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:458
+msgid "Objectclass for groups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:459
+msgid "Group name"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:460
+msgid "Group password"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:461
+msgid "GID attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:462
+msgid "Group member attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:463
+msgid "Group UUID attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:465
+msgid "Modification time attribute for groups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:466
+msgid "Type of the group and other flags"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:467
+msgid "The LDAP group external member attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:468
+msgid "Maximum nesting level SSSD will follow"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:469
+msgid "Filter for group lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:470
+msgid "Scope of group lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:472
+msgid "Base DN for netgroup lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:473
+msgid "Objectclass for netgroups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:474
+msgid "Netgroup name"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:475
+msgid "Netgroups members attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:476
+msgid "Netgroup triple attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:477
+msgid "Modification time attribute for netgroups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:479
+msgid "Base DN for service lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:480
+msgid "Objectclass for services"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:481
+msgid "Service name attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:482
+msgid "Service port attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:483
+msgid "Service protocol attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:485
+msgid "Lower bound for ID-mapping"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:486
+msgid "Upper bound for ID-mapping"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:487
+msgid "Number of IDs for each slice when ID-mapping"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:488
+msgid "Use autorid-compatible algorithm for ID-mapping"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:489
+msgid "Name of the default domain for ID-mapping"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:490
+msgid "SID of the default domain for ID-mapping"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:491
+msgid "Number of secondary slices"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:493
+msgid "Whether to use Token-Groups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:494
+msgid "Set lower boundary for allowed IDs from the LDAP server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:495
+msgid "Set upper boundary for allowed IDs from the LDAP server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:496
+msgid "DN for ppolicy queries"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:497
+msgid "How many maximum entries to fetch during a wildcard request"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:498
+msgid "Set libldap debug level"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:501
+msgid "Policy to evaluate the password expiration"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:505
+msgid "Which attributes shall be used to evaluate if an account is expired"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:509
+msgid "URI of an LDAP server where password changes are allowed"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:510
+msgid "URI of a backup LDAP server where password changes are allowed"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:511
+msgid "DNS service name for LDAP password change server"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:512
+msgid ""
+"Whether to update the ldap_user_shadow_last_change attribute after a "
+"password change"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:516
+msgid "Base DN for sudo rules lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:517
+msgid "Automatic full refresh period"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:518
+msgid "Automatic smart refresh period"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:519
+msgid "Smart and full refresh random offset"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:520
+msgid "Whether to filter rules by hostname, IP addresses and network"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:521
+msgid ""
+"Hostnames and/or fully qualified domain names of this machine to filter sudo "
+"rules"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:522
+msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:523
+msgid "Whether to include rules that contains netgroup in host attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:524
+msgid ""
+"Whether to include rules that contains regular expression in host attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:525
+msgid "Object class for sudo rules"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:526
+msgid "Name of attribute that is used as object class for sudo rules"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:527
+msgid "Sudo rule name"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:528
+msgid "Sudo rule command attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:529
+msgid "Sudo rule host attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:530
+msgid "Sudo rule user attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:531
+msgid "Sudo rule option attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:532
+msgid "Sudo rule runas attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:533
+msgid "Sudo rule runasuser attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:534
+msgid "Sudo rule runasgroup attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:535
+msgid "Sudo rule notbefore attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:536
+msgid "Sudo rule notafter attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:537
+msgid "Sudo rule order attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:540
+msgid "Object class for automounter maps"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:541
+msgid "Automounter map name attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:542
+msgid "Object class for automounter map entries"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:543
+msgid "Automounter map entry key attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:544
+msgid "Automounter map entry value attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:545
+msgid "Base DN for automounter map lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:546
+msgid "The name of the automount master map in LDAP."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:549
+msgid "Base DN for IP hosts lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:550
+msgid "Object class for IP hosts"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:551
+msgid "IP host name attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:552
+msgid "IP host number (address) attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:553
+msgid "IP host entryUSN attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:554
+msgid "Base DN for IP networks lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:555
+msgid "Object class for IP networks"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:556
+msgid "IP network name attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:557
+msgid "IP network number (address) attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:558
+msgid "IP network entryUSN attribute"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:561
+msgid "Comma separated list of allowed users"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:562
+msgid "Comma separated list of prohibited users"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:563
+msgid ""
+"Comma separated list of groups that are allowed to log in. This applies only "
+"to groups within this SSSD domain. Local groups are not evaluated."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:565
+msgid ""
+"Comma separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:569
+msgid "The number of preforked proxy children."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:572
+msgid "The name of the NSS library to use"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:573
+msgid "The name of the NSS library to use for hosts and networks lookups"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:574
+msgid "Whether to look up canonical group name from cache if possible"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:577
+msgid "PAM stack to use"
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:580
+msgid "Path of passwd file sources."
+msgstr ""
+
+#: src/config/SSSDConfig/sssdoptions.py:581
+msgid "Path of group file sources."
+msgstr ""
+
+#: src/monitor/monitor.c:1757
+msgid "Become a daemon (default)"
+msgstr ""
+
+#: src/monitor/monitor.c:1759
+msgid "Run interactive (not a daemon)"
+msgstr ""
+
+#: src/monitor/monitor.c:1761
+msgid "Print version number and exit"
+msgstr ""
+
+#: src/monitor/monitor.c:1772
+#, c-format
+msgid ""
+"\n"
+"Invalid option %s: %s\n"
+"\n"
+msgstr ""
+
+#: src/monitor/monitor.c:1794
+msgid "Option -i|--interactive is not allowed together with -D|--daemon\n"
+msgstr ""
+
+#: src/monitor/monitor.c:1836
+msgid "Failed to get initial capabilities\n"
+msgstr ""
+
+#: src/monitor/monitor.c:1847
+msgid "Non-root service user support isn't built. Can't run under %"
+msgstr ""
+
+#: src/monitor/monitor.c:1864
+#, c-format
+msgid "Can't read config: '%s'\n"
+msgstr ""
+
+#: src/monitor/monitor.c:1876
+#, c-format
+msgid "Failed to boostrap SSSD 'monitor' process: %s"
+msgstr ""
+
+#: src/monitor/monitor.c:1971
+msgid "Out of memory\n"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4221
+msgid "Use anonymous PKINIT to request FAST armor ticket"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4223
+msgid "Kerberos realm to use"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4225
+msgid "Requested lifetime of the ticket"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4227
+msgid "Requested renewable lifetime of the ticket"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4229
+msgid "FAST options ('never', 'try', 'demand')"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4232
+msgid "Specifies the server principal to use for FAST"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4234
+msgid "Requests canonicalization of the principal name"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4236
+msgid "Use custom version of krb5_get_init_creds_password"
+msgstr ""
+
+#: src/providers/krb5/krb5_child.c:4238
+msgid "Check PAC flags"
+msgstr ""
+
+#: src/providers/data_provider_be.c:790
+msgid "Domain of the information provider (mandatory)"
+msgstr ""
+
+#: src/sss_client/common.c:1165
+msgid "Socket has wrong ownership or permissions."
+msgstr ""
+
+#: src/sss_client/common.c:1168
+msgid "Unexpected format of the server credential message."
+msgstr ""
+
+#: src/sss_client/common.c:1171
+msgid "SSSD is not run by trusted user."
+msgstr ""
+
+#: src/sss_client/common.c:1174
+msgid "SSSD socket does not exist."
+msgstr ""
+
+#: src/sss_client/common.c:1177
+msgid "Cannot get stat of SSSD socket."
+msgstr ""
+
+#: src/sss_client/common.c:1182
+msgid "An error occurred, but no description can be found."
+msgstr ""
+
+#: src/sss_client/common.c:1188
+msgid "Unexpected error while looking for an error description"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:74
+msgid "Permission denied. "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:75 src/sss_client/pam_sss.c:843
+#: src/sss_client/pam_sss.c:854
+msgid "Server message: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:76
+msgid ""
+"Kerberos TGT will not be granted upon login, user experience will be "
+"affected."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:77
+msgid "Enter PIN:"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:320
+msgid "Passwords do not match"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:508
+msgid "Password reset by root is not supported."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:549
+msgid "Authenticated with cached credentials"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:550
+msgid ", your cached password will expire at: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:580
+#, c-format
+msgid "Your password has expired. You have %1$d grace login(s) remaining."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:630
+#, c-format
+msgid "Your password will expire in %1$d %2$s."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:633
+#, c-format
+msgid "Your password has expired."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:684
+msgid "Authentication is denied until: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:705
+msgid "System is offline, password change not possible"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:720
+msgid ""
+"After changing the OTP password, you need to log out and back in order to "
+"acquire a ticket"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:735
+msgid "PIN locked"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:750
+msgid ""
+"No Kerberos TGT granted as the server does not support this method. Your "
+"single-sign on(SSO) experience will be affected."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:840 src/sss_client/pam_sss.c:853
+msgid "Password change failed. "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:1859
+#, c-format
+msgid "Authenticate at %1$s and press ENTER."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:1862
+#, c-format
+msgid "Authenticate with PIN %1$s at %2$s and press ENTER."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2281
+msgid "Please (re)insert (different) Smartcard"
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2482
+msgid "New Password: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2483
+msgid "Reenter new Password: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2676 src/sss_client/pam_sss.c:2679
+msgid "First Factor: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2677 src/sss_client/pam_sss.c:2851
+msgid "Second Factor (optional): "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2680 src/sss_client/pam_sss.c:2855
+msgid "Second Factor: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2684
+msgid "Insert your passkey device, then press ENTER."
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2688 src/sss_client/pam_sss.c:2696
+msgid "Password: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2850 src/sss_client/pam_sss.c:2854
+msgid "First Factor (Current Password): "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:2874
+msgid "Current Password: "
+msgstr ""
+
+#: src/sss_client/pam_sss.c:3248
+msgid "Password expired. Change your password now."
+msgstr ""
+
+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 src/tools/sss_cache.c:707
+msgid "The debug level to run with"
+msgstr ""
+
+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43
+msgid "The SSSD domain to use"
+msgstr ""
+
+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_cache.c:753
+msgid "Error setting the locale\n"
+msgstr ""
+
+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64
+msgid "Not enough memory\n"
+msgstr ""
+
+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83
+msgid "User not specified\n"
+msgstr ""
+
+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97
+msgid "Error looking up public keys\n"
+msgstr ""
+
+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:27
+msgid ""
+"\n"
+"******************************************************************************\n"
+"Your system is configured to use the obsolete tool sss_ssh_knownhostsproxy.\n"
+"Please read the sss_ssh_knownhosts(1) man page to learn about its "
+"replacement.\n"
+"******************************************************************************\n"
+"\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:229
+msgid "No cache object matched the specified search\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:520
+#, c-format
+msgid "Couldn't invalidate %1$s\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:527
+#, c-format
+msgid "Couldn't invalidate %1$s %2$s\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:653
+msgid "Can't find configuration db, was SSSD configured and run?\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:709
+msgid "Invalidate all cached entries"
+msgstr ""
+
+#: src/tools/sss_cache.c:711
+msgid "Invalidate particular user"
+msgstr ""
+
+#: src/tools/sss_cache.c:713
+msgid "Invalidate all users"
+msgstr ""
+
+#: src/tools/sss_cache.c:715
+msgid "Invalidate particular group"
+msgstr ""
+
+#: src/tools/sss_cache.c:717
+msgid "Invalidate all groups"
+msgstr ""
+
+#: src/tools/sss_cache.c:719
+msgid "Invalidate particular netgroup"
+msgstr ""
+
+#: src/tools/sss_cache.c:721
+msgid "Invalidate all netgroups"
+msgstr ""
+
+#: src/tools/sss_cache.c:723
+msgid "Invalidate particular service"
+msgstr ""
+
+#: src/tools/sss_cache.c:725
+msgid "Invalidate all services"
+msgstr ""
+
+#: src/tools/sss_cache.c:728
+msgid "Invalidate particular autofs map"
+msgstr ""
+
+#: src/tools/sss_cache.c:730
+msgid "Invalidate all autofs maps"
+msgstr ""
+
+#: src/tools/sss_cache.c:734
+msgid "Invalidate particular SSH host"
+msgstr ""
+
+#: src/tools/sss_cache.c:736
+msgid "Invalidate all SSH hosts"
+msgstr ""
+
+#: src/tools/sss_cache.c:740
+msgid "Invalidate particular sudo rule"
+msgstr ""
+
+#: src/tools/sss_cache.c:742
+msgid "Invalidate all cached sudo rules"
+msgstr ""
+
+#: src/tools/sss_cache.c:745
+msgid "Only invalidate entries from a particular domain"
+msgstr ""
+
+#: src/tools/sss_cache.c:799
+msgid ""
+"Unexpected argument(s) provided, options that invalidate a single object "
+"only accept a single provided argument.\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:809
+msgid "Please select at least one object to invalidate\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:892
+#, c-format
+msgid ""
+"Could not open domain %1$s. If the domain is a subdomain (trusted domain), "
+"use fully qualified name instead of --domain/-d parameter.\n"
+msgstr ""
+
+#: src/tools/sss_cache.c:897
+msgid "Could not open available domains\n"
+msgstr ""
+
+#: src/tools/tools_util.h:36
+#, c-format
+msgid "%1$s must be run as root\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:35
+msgid "yes"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:37
+msgid "no"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:39
+msgid "error"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:42
+msgid "Invalid result."
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:78
+msgid "Unable to read user input\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:91
+#, c-format
+msgid "Invalid input, please provide either '%s' or '%s'.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:151 src/tools/sssctl/sssctl.c:161
+msgid "Error while executing external command\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:165
+#, c-format
+msgid "Error while executing external command '%s'\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:168
+#, c-format
+msgid "Command '%s' failed with [%d]\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:215
+msgid "SSSD needs to be running. Start SSSD now?"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:254
+msgid "SSSD must not be running. Stop SSSD now?"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:290
+msgid "SSSD needs to be restarted. Restart SSSD now?"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:322
+msgid "SSSD Status:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:323
+msgid "List available domains"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:324
+msgid "Print information about domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:325
+msgid "Print information about a user and check authentication"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:326
+msgid "Generate access report for a domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:327
+msgid "Information about cached content:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:328
+msgid "Information about cached user"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:329
+msgid "Information about cached group"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:330
+msgid "Information about cached netgroup"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:331
+msgid "Local data tools:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:332
+msgid "Backup local data"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:333
+msgid "Restore local data from backup"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:334
+msgid "Backup local data and remove cached content"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:335
+msgid "Invalidate cached objects"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:336
+msgid "Manage cache indexes"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:337
+msgid "Log files tools:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:338
+msgid "Remove existing SSSD log files"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:339
+msgid "Archive SSSD log files in tarball"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:340
+msgid "Change or print information about SSSD debug level"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:341
+msgid "Analyze logged data"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:342
+msgid "Configuration files tools:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:343
+msgid "Perform static analysis of SSSD configuration"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:344
+msgid "Certificate related tools:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:345
+msgid "Print information about the certificate"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:346
+msgid "Show users mapped to the certificate"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:347
+msgid "Check mapping and matching rule with a certificate"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:348
+msgid "GPOs related tools:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:349
+msgid "Information about cached GPO"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:350
+msgid "Enumerate cached GPOs"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:351
+msgid "Remove cached GPO"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:352
+msgid "Remove all cached GPOs"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:354
+msgid "Passkey related tools:"
+msgstr ""
+
+#: src/tools/sssctl/sssctl.c:355
+msgid "Perform passkey registration"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:31
+#, c-format
+msgid " %s is not present in cache.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:33
+msgid "Name"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:34
+msgid "Cache entry creation date"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:35
+msgid "Cache entry last update time"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:36
+msgid "Cache entry expiration time"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:37
+msgid "Cached in InfoPipe"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:38
+msgid "Policy Name"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:39
+msgid "Policy GUID"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:40
+msgid "Policy Path"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:41
+msgid "Policy file timeout"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:42
+msgid "Policy version"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:556
+#, c-format
+msgid "Error: Unable to get object [%d]: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:572 src/tools/sssctl/sssctl_cache.c:927
+#, c-format
+msgid "%s: Unable to read value [%d]: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:602
+msgid "Specify name."
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:612
+#, c-format
+msgid "Unable to parse name %s.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:641 src/tools/sssctl/sssctl_cache.c:688
+msgid "Search by SID"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:642
+msgid "Search by user ID"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:651
+msgid "Initgroups expiration time"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:689
+msgid "Search by group ID"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:778 src/tools/sssctl/sssctl_cache.c:1126
+msgid "Search by GPO guid"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:785 src/tools/sssctl/sssctl_cache.c:1143
+#, c-format
+msgid "Failed to parse command line: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:790 src/tools/sssctl/sssctl_cache.c:1148
+#, c-format
+msgid "%s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:803
+#, c-format
+msgid "Failed to print object: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:835 src/tools/sssctl/sssctl_cache.c:918
+#: src/tools/sssctl/sssctl_cache.c:950 src/tools/sssctl/sssctl_cache.c:956
+#: src/tools/sssctl/sssctl_cache.c:1010 src/tools/sssctl/sssctl_cache.c:1034
+#: src/tools/sssctl/sssctl_cache.c:1085 src/tools/sssctl/sssctl_cache.c:1194
+#: src/tools/sssctl/sssctl_cache.c:1229 src/tools/sssctl/sssctl_cache.c:1235
+#: src/tools/sssctl/sssctl_cache.c:1244
+msgid "talloc failed\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:841
+msgid "Unable to get attribute list!\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:848
+msgid "Unable to create filter\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:861
+#, c-format
+msgid "%s [%s]:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:866
+msgid "Unable to get GPOs base DN\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:876
+#, c-format
+msgid "Unable to search sysdb: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:882
+#, c-format
+msgid "Unable to convert message to sysdb attrs: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:931
+#, c-format
+msgid "\t%s: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:933 src/tools/sssctl/sssctl_logs.c:50
+msgid "\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1016
+msgid "Could not find GUID attribute from GPO entry\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1023
+msgid "Could not find description attribute from GPO entry\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1047
+msgid "Could not delete GPO entry from cache\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1053
+#, c-format
+msgid ""
+"The GPO path was not yet stored in cache. Please remove files manually from "
+"[%s]\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1062 src/tools/sssctl/sssctl_cache.c:1068
+#, c-format
+msgid "Could not determine real path for [%s]: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1073
+#, c-format
+msgid "The cached GPO path [%s] is not under [%s], ignoring.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1098
+#, c-format
+msgid "Unable to remove downloaded GPO files: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1165
+#, c-format
+msgid "Failed to fetch cache entry: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1170
+msgid "Could not determine object domain\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1200
+msgid "Could not find GUID attribute in GPO entry\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1206
+#, c-format
+msgid "Failed to delete GPO: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cache.c:1210
+#, c-format
+msgid "%s removed from cache\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:50 src/tools/sssctl/sssctl_cert.c:108
+#: src/tools/sssctl/sssctl_cert.c:214
+msgid "Show debug information"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:56 src/tools/sssctl/sssctl_cert.c:114
+#: src/tools/sssctl/sssctl_cert.c:220
+msgid "Specify base64 encoded certificate."
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:138 src/tools/sssctl/sssctl_domains.c:104
+#: src/tools/sssctl/sssctl_domains.c:366
+#: src/tools/sssctl/sssctl_user_checks.c:99
+msgid "Unable to connect to system bus!\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:164
+msgid " - no mapped users found -"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:212
+msgid "Mapping rule"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:213
+msgid "Matching rule"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:223
+msgid "Unable to parse command arguments\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:229 src/tools/sssctl/sssctl_domains.c:354
+msgid "Out of memory!\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:238
+msgid "Failed to setup certmap context.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:244
+#, c-format
+msgid "Failed to add mapping and matching rules with error [%d][%s].\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:251
+msgid "Failed to decode base64 string.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:259
+msgid "Certificate matches rule.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:262
+msgid "Certificate does not match rule.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:265
+#, c-format
+msgid "Error during certificate matching [%d][%s].\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:272
+#, c-format
+msgid "Failed to generate mapping filter [%d][%s].\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_cert.c:276
+#, c-format
+msgid ""
+"Mapping filter:\n"
+"\n"
+"    %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:75
+msgid ""
+"Specify a non-default snippet dir (The default is to look in the same place "
+"where the main config file is located. For example if the config is set to "
+"\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:114
+#, c-format
+msgid "File %1$s does not exist.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:115
+msgid "There is no configuration.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:120
+#, c-format
+msgid "Configuration validation failed: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:121
+msgid "Run with high debug level to see details.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:130
+msgid "Failed to run validators"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:134
+#, c-format
+msgid "Issues identified by validators: %zu\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:145
+#, c-format
+msgid "Messages generated during configuration merging: %zu\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_config.c:158
+#, c-format
+msgid "Used configuration snippet files: %zu\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:91
+#, c-format
+msgid "Unable to create backup directory [%d]: %s"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:97
+msgid "SSSD backup of local data already exists, override?"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:113
+msgid "Unable to export user overrides\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:120
+msgid "Unable to export group overrides\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:135 src/tools/sssctl/sssctl_data.c:216
+msgid "Override existing backup"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:165
+msgid "Unable to import user overrides\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:174
+msgid "Unable to import group overrides\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:81
+#: src/tools/sssctl/sssctl_domains.c:326
+msgid "Start SSSD if it is not running"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:195
+msgid "Restart SSSD after data import"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:217
+msgid "Create clean cache files and import local data"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:218
+msgid "Stop SSSD before removing the cache"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:219
+msgid "Start SSSD when the cache is removed"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:234
+msgid "Creating backup of local data...\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:237
+msgid "Unable to create backup of local data, can not remove the cache.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:242
+msgid "Removing cache files...\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:245
+msgid "Unable to remove cache files\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:250
+msgid "Restoring local data...\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:377
+#, c-format
+msgid "Creating cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:379
+#, c-format
+msgid "Deleting cache index for domain %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:381
+#, c-format
+msgid "Indexes for domain %1$s:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:401
+#, c-format
+msgid "  Attribute: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:428 src/tools/sssctl/sssctl_logs.c:525
+msgid "Target a specific domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:428 src/tools/sssctl/sssctl_logs.c:525
+msgid "domain"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:430
+msgid "Attribute to index"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:430
+msgid "attribute"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:443
+msgid "Action not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:456
+#, c-format
+msgid ""
+"Unknown action: %1$s\n"
+"Valid actions are \"%2$s\", \"%3$s and \"%4$s\"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:464
+msgid "Attribute (-a) not provided\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:472
+#, c-format
+msgid "Attribute %1$s not indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:475
+#, c-format
+msgid "Attribute %1$s already indexed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:478
+#, c-format
+msgid "Index operation failed: %1$s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_data.c:483
+msgid "Don't forget to also update the indexes on the remote providers.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:82
+msgid "Show domain list including primary or trusted domain type"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:166
+msgid "Online"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:166
+msgid "Offline"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:166
+#, c-format
+msgid "Online status: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:212
+msgid "This domain has no active servers.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:217
+msgid "Active servers:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:229
+msgid "not connected"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:266
+msgid "No servers discovered.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:272
+#, c-format
+msgid "Discovered %s servers:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:284
+msgid "None so far.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:323
+msgid "Show online status"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:324
+msgid "Show information about active server"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:325
+msgid "Show list of discovered servers"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:331
+msgid "Specify domain name."
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:374 src/tools/sssctl/sssctl_domains.c:384
+msgid "Unable to get online status\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_domains.c:394
+msgid "Unable to get server list\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:214
+msgid "SSSD is not running.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:231
+#, c-format
+msgid "%1$-25s %2$#.4x\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:235
+#, c-format
+msgid "%1$-25s Unknown domain\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:237
+#, c-format
+msgid "%1$-25s Unreachable service\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:429
+msgid "Delete log files instead of truncating"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:440
+msgid "Deleting log files...\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:443
+msgid "Unable to remove log files\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:460
+msgid "Truncating log files...\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:464
+msgid "Unable to truncate log files\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:498
+#, c-format
+msgid "Archiving log files into %s...\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:502
+msgid "Unable to archive log files\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:526
+msgid "Target the SSSD service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:527
+msgid "Target the NSS service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:528
+msgid "Target the PAM service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:529
+msgid "Target the SUDO service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:530
+msgid "Target the AUTOFS service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:531
+msgid "Target the SSH service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:532
+msgid "Target the PAC service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:533
+msgid "Target the IFP service"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:548
+msgid "Specify debug level you want to set"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_logs.c:593
+msgid "ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:121
+msgid "SSSD InfoPipe user lookup result:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:171
+#, c-format
+msgid "dlopen failed with [%s].\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:178
+#, c-format
+msgid "dlsym failed with [%s].\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:186
+msgid "malloc failed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:193
+#, c-format
+msgid "sss_getpwnam_r failed with [%d].\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:198
+msgid "SSSD nss user lookup result:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:199
+#, c-format
+msgid " - user name: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:200
+#, c-format
+msgid " - user id: %d\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:201
+#, c-format
+msgid " - group id: %d\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:202
+#, c-format
+msgid " - gecos: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:203
+#, c-format
+msgid " - home directory: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:204
+#, c-format
+msgid ""
+" - shell: %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:235
+msgid "PAM action [auth|acct|setc|chau|open|clos], default: "
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:238
+msgid "PAM service, default: "
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:243
+msgid "Specify user name."
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:250
+#, c-format
+msgid ""
+"user: %s\n"
+"action: %s\n"
+"service: %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:255
+#, c-format
+msgid "User name lookup with [%s] failed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:260
+#, c-format
+msgid "InfoPipe User lookup with [%s] failed.\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:266
+#, c-format
+msgid "pam_start failed: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:272
+msgid ""
+"testing pam_authenticate\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:276
+#, c-format
+msgid "pam_get_item failed: %s\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:279
+#, c-format
+msgid ""
+"pam_authenticate for user [%s]: %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:282
+msgid ""
+"testing pam_chauthtok\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:284
+#, c-format
+msgid ""
+"pam_chauthtok: %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:286
+msgid ""
+"testing pam_acct_mgmt\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:288
+#, c-format
+msgid ""
+"pam_acct_mgmt: %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:290
+msgid ""
+"testing pam_setcred\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:292
+#, c-format
+msgid ""
+"pam_setcred: [%s]\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:294
+msgid ""
+"testing pam_open_session\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:296
+#, c-format
+msgid ""
+"pam_open_session: %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:298
+msgid ""
+"testing pam_close_session\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:300
+#, c-format
+msgid ""
+"pam_close_session: %s\n"
+"\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:302
+msgid "unknown action\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:305
+msgid "PAM Environment:\n"
+msgstr ""
+
+#: src/tools/sssctl/sssctl_user_checks.c:313
+msgid " - no env -\n"
+msgstr ""
+
+#: src/util/util.h:100
+msgid "Specify a non-default config file"
+msgstr ""
+
+#: src/util/util.h:107
+msgid "Informs that the responder has been socket-activated"
+msgstr ""
diff --git a/src/man/po/es.po b/src/man/po/es.po
index 441597ee982..91ec54b5f16 100644
--- a/src/man/po/es.po
+++ b/src/man/po/es.po
@@ -19,9 +19,8 @@ msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
 "POT-Creation-Date: 2026-01-14 15:00+0000\n"
-"PO-Revision-Date: 2026-04-23 16:38+0000\n"
-"Last-Translator: Weblate Translation Memory <noreply-mt-weblate-translation-"
-"memory@weblate.org>\n"
+"PO-Revision-Date: 2026-05-30 21:01+0000\n"
+"Last-Translator: \"Fco. Javier F. Serrador\" <fserrador@gmail.com>\n"
 "Language-Team: Spanish <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-manpage-master/es/>\n"
 "Language: es\n"
@@ -29,7 +28,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 2026.5\n"
 
 #. type: Content of: <reference><title>
 #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5
@@ -65,17 +64,17 @@ msgstr "5"
 #: sss_rpcidmapd.5.xml:28 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12
 #: sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12
 msgid "File Formats and Conventions"
-msgstr "Formatos de archivo y convenciones"
+msgstr "Formatos de Archivo y Convenciones"
 
 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 #: sssd.conf.5.xml:20
 msgid "the configuration file for SSSD"
-msgstr "El archivo de configuración de SSSD"
+msgstr "el archivo de configuración para SSSD"
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:24
 msgid "FILE FORMAT"
-msgstr "Formato de archivo"
+msgstr "FORMATO DE ARCHIVO"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 #: sssd.conf.5.xml:32
@@ -100,7 +99,7 @@ msgid ""
 "until the next section begins. An example of section with single and multi-"
 "valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
-"El archivo tiene una sintaxis de estilo-ini consistente de secciones y "
+"El archivo tiene una sintaxis de estilo‐ini consistente de secciones y "
 "parámetros. Una sección comienza con el nombre de dicha sección colocado "
 "entre corchetes, y continua hasta que comienza la siguiente sección. Este es "
 "un ejemplo de una sección con parámetros de valores simples y múltiples: "
@@ -3578,7 +3577,7 @@ msgid ""
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
 "Usuarios/grupos especificados por las opciones <replaceable>users</"
-"replaceable> y<replaceable>groups</replaceable> están registrados."
+"replaceable> y <replaceable>groups</replaceable> están registrados."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2414 sssd-session-recording.5.xml:91
@@ -4696,7 +4695,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3246
 msgid "<quote>none</quote> disables SUDO explicitly."
-msgstr "<quote>none</quote>deshabilita SUDO explícitamente."
+msgstr "<quote>none</quote> inhabilita SUDO explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3249
@@ -6153,7 +6152,7 @@ msgid ""
 "options in the trusted domain section are:"
 msgstr ""
 "Algunas opciones usadas en la sección dominio puede ser usadas también en la "
-"sección dominio de confianza, esto es, en una sección llamada<quote>[domain/"
+"sección dominio de confianza, esto es, en una sección llamada <quote>[domain/"
 "<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</"
 "replaceable>]</quote>.  Donde DOMAIN_NAME es el dominio base real. Por favor "
 "vea los ejemplos de abajo para una explicación.  Actualmente las opciones "
@@ -8639,7 +8638,7 @@ msgid ""
 "example SSH keys."
 msgstr ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
-"pwd_expire_policy_renew: </emphasis>Estas opciones son útiles si los "
+"pwd_expire_policy_renew: </emphasis> Estas opciones son útiles si los "
 "usuarios están interesados en que se les avise de que la contraseña está "
 "próxima a expirar y la autenticación está basada en la utilización de un "
 "método distinto a las contraseñas; por ejemplo claves SSH."
@@ -13651,7 +13650,7 @@ msgstr ""
 "SSSD solo resuelve grupos de seguridad de Active Directory. Para obtener más "
 "información sobre los tipos de grupos de AD, consulte: <ulink url=\"https://"
 "docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-"
-"security-groups\">Grupos de seguridad de Active Directory</ulink>"
+"security-groups\"> Grupos de seguridad de Active Directory</ulink>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:120
@@ -15914,7 +15913,7 @@ msgstr "sssd"
 #. type: Content of: <reference><refentry><refnamediv><refpurpose>
 #: sssd.8.xml:16
 msgid "System Security Services Daemon"
-msgstr "Dæmon de Servicios de Seguridad del Sistema (SSSD)"
+msgstr "Dæmon de Servicios de Seguridad del Sistema"
 
 #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
 #: sssd.8.xml:21
@@ -18072,7 +18071,7 @@ msgid ""
 "<manvolnum>3</manvolnum> </citerefentry> and includes: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
-"De forma predeterminada, el contestador de InfoPipe del interfaz `/User` "
+"De forma predeterminada, el contestador de InfoPipe del interfaz `/Users` "
 "solo concede el conjunto predeterminado de atributos POSIX. Este conjunto es "
 "el mismo que devuelve <citerefentry> <refentrytitle>getpwnam</refentrytitle> "
 "<manvolnum>3</manvolnum> </citerefentry> e incluye: <placeholder "
@@ -18102,7 +18101,7 @@ msgstr ""
 "Es posible añadir otro atributo a este conjunto usando <quote>+attr_name</"
 "quote> o eliminarlo explícitamente usando <quote>-attr_name</quote>. "
 "Atributos añadidos serán hechos disponibles en el segmento <quote>"
-"extraAttributes>/quote>. Por ejemplo, para permitir <quote>telephoneNumber</"
+"extraAttributes</quote>. Por ejemplo, para permitir <quote>telephoneNumber</"
 "quote> pero denegar <quote>loginShell</quote>, se usaría la siguiente "
 "configuración: <placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -18554,8 +18553,8 @@ msgstr ""
 "<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></"
 "citerefentry> puede ser configurado para usar <command>sss_ssh_knownhosts</"
 "command> para autenticación de la clave del host usando la opción <quote>"
-"KnownHostsCommand</quote>: <placeholder type=\"programlisting\" id=\"0\"/>"
-"Refuera a la página man <citerefentry><refentrytitle>ssh_config</"
+"KnownHostsCommand</quote>: <placeholder type=\"programlisting\" id=\"0\"/> "
+"Refiérase a la página man <citerefentry><refentrytitle>ssh_config</"
 "refentrytitle><manvolnum>5</manvolnum></citerefentry> para más detalles "
 "sobre esta opción."
 
@@ -18611,8 +18610,8 @@ msgid ""
 msgstr ""
 "Las líneas de clave obtenidas desde el segundo plano son esperadas para "
 "respetar el formato de clave como se describió en la sección <quote>FORMATO "
-"DE ARCHIVO SSH_KNOWN_HOSTS </quote> de <citerefentry><refentrytitle>sshd</"
-"refentrytitle> <manvolnum>8</manvolnum></citerefentry>. sin embargo, "
+"DE ARCHIVO SSH_KNOWN_HOSTS</quote> de <citerefentry><refentrytitle>sshd</"
+"refentrytitle> <manvolnum>8</manvolnum></citerefentry>. Sin embargo, "
 "devolver solo el tipo de clave y la misma clave es tolerado, en cual caso, "
 "el nombre del host recibido como parámetro será añadido antes del tipo de "
 "clave a la salida una línea correctamente formada. El nombre de host será "
diff --git a/src/man/po/fi.po b/src/man/po/fi.po
index 75d91710b2e..5a519d10456 100644
--- a/src/man/po/fi.po
+++ b/src/man/po/fi.po
@@ -4,7 +4,7 @@ msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
 "POT-Creation-Date: 2026-01-14 15:00+0000\n"
-"PO-Revision-Date: 2026-04-23 16:42+0000\n"
+"PO-Revision-Date: 2026-05-08 05:45+0000\n"
 "Last-Translator: Ricky Tigg <ricky.tigg@gmail.com>\n"
 "Language-Team: Finnish <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-manpage-master/fi/>\n"
@@ -13,7 +13,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 5.17.1\n"
 
 #. type: Content of: <reference><title>
 #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5
@@ -794,21 +794,6 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:606
-#, fuzzy
-#| msgid ""
-#| "Please, note that when this option is set the output format of all "
-#| "commands is always fully-qualified even when using short names for input "
-#| "<phrase condition=\"with_files_provider\"> , for all users but the ones "
-#| "managed by the files provider </phrase>.  In case the administrator wants "
-#| "the output not fully-qualified, the full_name_format option can be used "
-#| "as shown below: <quote>full_name_format=%1$s</quote> However, keep in "
-#| "mind that during login, login applications often canonicalize the "
-#| "username by calling <citerefentry> <refentrytitle>getpwnam</"
-#| "refentrytitle> <manvolnum>3</manvolnum> </citerefentry> which, if a "
-#| "shortname is returned for a qualified input (while trying to reach a user "
-#| "which exists in multiple domains) might re-route the login attempt into "
-#| "the domain which uses shortnames, making this workaround totally not "
-#| "recommended in cases where usernames may overlap between domains."
 msgid ""
 "Please, note that when this option is set the output format of all commands "
 "is always fully-qualified even when using short names for input.  In case "
@@ -822,21 +807,19 @@ msgid ""
 "domain which uses shortnames, making this workaround totally not recommended "
 "in cases where usernames may overlap between domains."
 msgstr ""
-"Huomaa, että kun tämä vaihtoehto on asetettu, kaikkien komentojen tulosteen "
-"muoto on aina täysin määritelty, vaikka syötteelle käytettäisiin lyhyitä "
-"nimiä <phrase condition=\"with_files_provider\"> kaikille käyttäjille paitsi "
-"niille, joita tiedostotoimittaja hallitsee </phrase >. Jos "
-"järjestelmänvalvoja haluaa, että tuloste ei ole täysin määritelty, "
-"full_name_format -vaihtoehtoa voidaan käyttää alla olevan kuvan mukaisesti: "
-"<quote>full_name_format=%1$s</quote> Muista kuitenkin, että "
-"sisäänkirjautumisen aikana sisäänkirjautumissovellukset usein kanonisoivat "
-"käyttäjänimen. kutsumalla <citerefentry> <refentrytitle>getpwnam</"
-"refentrytitle> <manvolnum>3</manvolnum> </citerefentry> joka, jos lyhyt nimi "
-"palautetaan pätevälle syötteelle (yritettäessä tavoittaa useissa "
-"verkkotunnuksissa olevaa käyttäjää), saattaa ohjata kirjautumisyrityksen "
-"uudelleen lyhyitä nimiä käyttävään verkkotunnukseen, joten tämä kiertotapa "
-"ei ole suositeltavaa tapauksissa jossa käyttäjänimet voivat mennä "
-"päällekkäin verkkotunnusten välillä."
+"Huomaa, että kun tämä asetus on asetettu, kaikkien komentojen tulostusmuoto "
+"on aina täysin määritelty, vaikka syötteenä käytettäisiin lyhyitä nimiä. Jos "
+"ylläpitäjä ei halua tulosteen olevan täysin määritelty, full_name_format-"
+"asetusta voidaan käyttää alla olevan mukaisesti: <quote>"
+"full_name_format=%1$s</quote> Muista kuitenkin, että kirjautumisen aikana "
+"kirjautumissovellukset usein kanonisoivat käyttäjätunnuksen kutsumalla "
+"funktiota <citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>"
+"3</manvolnum> </citerefentry>. Jos pätevälle syötteelle palautetaan "
+"lyhytnimi (yritettäessä tavoittaa käyttäjää, joka on useilla "
+"verkkotunnuksilla), kirjautumisyritys saattaa reitittää uudelleen "
+"verkkotunnukseen, joka käyttää lyhyitä nimiä. Tämä tekee tästä kiertotavasta "
+"täysin epäsuositeltavaa tapauksissa, joissa käyttäjätunnukset voivat olla "
+"päällekkäisiä eri verkkotunnusten välillä."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:630 sssd.conf.5.xml:1697 sssd.conf.5.xml:4224
@@ -12621,12 +12604,12 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-idp.5.xml:250
-#, fuzzy
-#| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
 "<placeholder type=\"programlisting\" id=\"0\"/> <placeholder "
 "type=\"programlisting\" id=\"1\"/>"
-msgstr "Esimerkki: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <placeholder "
+"type=\"programlisting\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refnamediv><refname>
 #: sssd.8.xml:10 sssd.8.xml:15
diff --git a/src/man/po/fr.po b/src/man/po/fr.po
index 9f2b52f3d3e..a388921ba4a 100644
--- a/src/man/po/fr.po
+++ b/src/man/po/fr.po
@@ -18,8 +18,8 @@ msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
 "POT-Creation-Date: 2026-01-14 15:00+0000\n"
-"PO-Revision-Date: 2026-04-23 16:29+0000\n"
-"Last-Translator: Anonymous <noreply@weblate.org>\n"
+"PO-Revision-Date: 2026-06-08 07:02+0000\n"
+"Last-Translator: Mattia Sasselli <mattia.sasselli@murena.io>\n"
 "Language-Team: French <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-manpage-master/fr/>\n"
 "Language: fr\n"
@@ -27,7 +27,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n > 1;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 2026.6.1\n"
 
 #. type: Content of: <reference><title>
 #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5
@@ -119,6 +119,8 @@ msgid ""
 "A comment line starts with a hash sign (<quote>#</quote>) or a semicolon "
 "(<quote>;</quote>).  Inline comments are not supported."
 msgstr ""
+"Une ligne de commentaire commence par un dièse (#) ou un point-virgule (;). "
+"Les commentaires en ligne ne sont pas pris en charge."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:50
@@ -158,7 +160,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:66
 msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY"
-msgstr ""
+msgstr "EXTRAITS DE CONFIGURATION DU RÉPERTOIRE INCLUDE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:69
@@ -167,6 +169,9 @@ msgid ""
 "configuration snippets using the include directory <filename>conf.d</"
 "filename>."
 msgstr ""
+"Le fichier de configuration <filename>sssd.conf</filename> inclura des "
+"extraits de configuration utilisant le répertoire d'inclusion <filename>"
+"conf.d</filename>."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:75
@@ -176,6 +181,10 @@ msgid ""
 "(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> "
 "to configure SSSD."
 msgstr ""
+"Tout fichier placé dans <filename>conf.d</filename> qui se termine par "
+"<quote><filename>.conf</filename></quote> et ne commence pas par un point "
+"(<quote>.</quote>) sera utilisé avec <filename>sssd.conf</filename> pour "
+"configurer SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:83
@@ -189,6 +198,13 @@ msgid ""
 "<filename>02_snippet.conf</filename> etc.) can help visualize the priority "
 "(higher number means higher priority)."
 msgstr ""
+"Les extraits de configuration du fichier `conf.d` sont prioritaires sur ceux "
+"du fichier `sssd.conf` et prévalent sur ce dernier en cas de conflit. Si "
+"plusieurs extraits sont présents dans `conf.d`, ils sont inclus par ordre "
+"alphabétique (selon les paramètres régionaux). Les fichiers inclus en "
+"dernier sont prioritaires. Les préfixes numériques (par exemple, "
+"`01_snippet.conf`, `02_snippet.conf`, etc.) permettent de visualiser la "
+"priorité (un nombre plus élevé indique une priorité plus importante)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:97
@@ -196,6 +212,8 @@ msgid ""
 "The snippet files require the same owner and permissions as "
 "<filename>sssd.conf</filename>."
 msgstr ""
+"Les fichiers d'extrait nécessitent le même propriétaire et les mêmes "
+"permissions que <filename>sssd.conf</filename>."
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:103
@@ -222,7 +240,7 @@ msgstr "debug_level (entier)"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:117
 msgid "debug (integer)"
-msgstr ""
+msgstr "débogage (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:120
@@ -232,6 +250,10 @@ msgid ""
 "are specified, the value of <replaceable>debug_level</replaceable> will be "
 "used."
 msgstr ""
+"SSSD 1.14 et versions ultérieures incluent également l'alias `<replaceable>"
+"debug</replaceable>` pour `<replaceable>debug_level</replaceable>`, par "
+"commodité. Si les deux sont spécifiés, la valeur de `<replaceable>"
+"debug_level</replaceable>` sera utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:130
@@ -292,7 +314,7 @@ msgstr "debug_microseconds (booléen)"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:159
 msgid "Enable debug backtrace."
-msgstr ""
+msgstr "Activer le débogage par trace d'exécution."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:162
@@ -303,6 +325,11 @@ msgid ""
 "to 0 or 1 then only those error levels will trigger backtrace, otherwise up "
 "to 2)."
 msgstr ""
+"Dans le cas où SSSD est exécuté avec debug_level inférieur à 9, tout est "
+"enregistré dans un tampon circulaire en mémoire et vidé dans un fichier "
+"journal sur toute erreur jusqu'à et y compris `min(0x0040, debug_level)` "
+"(c'est-à-dire que si debug_level est explicitement défini sur 0 ou 1, seuls "
+"ces niveaux d'erreur déclencheront une trace d'exécution, sinon jusqu'à 2)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:171
@@ -310,6 +337,9 @@ msgid ""
 "Feature is only supported for `logger == files` (i.e.  setting doesn't have "
 "effect for other logger types)."
 msgstr ""
+"Cette fonctionnalité est uniquement prise en charge pour `logger == files` "
+"(c'est-à-dire que ce paramètre n'a aucun effet pour les autres types de "
+"journalisation)."
 
 #. type: Content of: outside any tag (error?)
 #: sssd.conf.5.xml:111 sssd.conf.5.xml:186 sssd-ldap.5.xml:1754
@@ -341,6 +371,10 @@ msgid ""
 "ensure that the process is alive and capable of answering requests. Note "
 "that after three missed heartbeats the process will terminate itself."
 msgstr ""
+"Délai d'attente en secondes entre les pulsations de ce service. Ce délai "
+"permet de s'assurer que le processus est actif et capable de répondre aux "
+"requêtes. Veuillez noter qu'après trois pulsations manquées, le processus "
+"s'arrêtera automatiquement."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:198 sssd.conf.5.xml:1199 sssd.conf.5.xml:1673
@@ -377,6 +411,10 @@ msgid ""
 "platforms where systemd is supported, as they will either be socket or D-Bus "
 "activated when needed.  </phrase>"
 msgstr ""
+"Liste, séparée par des virgules, des services qui démarrent au lancement de "
+"sssd. <phrase condition=\"have_systemd\"> Cette liste de services est "
+"facultative sur les plateformes prenant en charge systemd, car ils seront "
+"activés par socket ou D-Bus selon les besoins. </phrase>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:234
@@ -406,6 +444,9 @@ msgid ""
 "and the administrator must enable the ones allowed to be used by executing: "
 "\"systemctl enable sssd-@service@.socket\".  </phrase>"
 msgstr ""
+"Par défaut, tous les services sont désactivés et l'administrateur doit "
+"activer ceux qui sont autorisés en exécutant la commande : « systemctl "
+"enable sssd-@service@.socket »."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:250
@@ -422,6 +463,13 @@ msgid ""
 "alphanumeric ASCII characters, dashes, dots and underscores. '/' character "
 "is forbidden."
 msgstr ""
+"Un domaine est une base de données contenant des informations utilisateur. "
+"SSSD peut utiliser plusieurs domaines simultanément, mais au moins un doit "
+"être configuré pour que SSSD puisse démarrer. Ce paramètre décrit la liste "
+"des domaines dans l'ordre de leur interrogation. Il est recommandé qu'un nom "
+"de domaine contienne uniquement des caractères alphanumériques ASCII, des "
+"tirets, des points et des traits de soulignement. Le caractère « / » est "
+"interdit."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:266 sssd.conf.5.xml:3467
@@ -444,6 +492,10 @@ msgid ""
 "ID providers there are also default regular expressions. See DOMAIN SECTIONS "
 "for more info on these regular expressions."
 msgstr ""
+"Chaque domaine peut avoir sa propre expression régulière configurée. "
+"Certains fournisseurs d'identité proposent également des expressions "
+"régulières par défaut. Consultez la section DOMAINE pour plus d'informations "
+"sur ces expressions régulières."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:283 sssd.conf.5.xml:3524
@@ -512,11 +564,13 @@ msgid ""
 "Each domain can have an individual format string configured.  See DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
+"Chaque domaine peut avoir une chaîne de format personnalisée. Consultez la "
+"section SECTIONS DE DOMAINE pour plus d'informations sur cette option."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:329
 msgid "monitor_resolv_conf (boolean)"
-msgstr ""
+msgstr "monitor_resolv_conf (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:332
@@ -524,6 +578,8 @@ msgid ""
 "Controls if SSSD should monitor the state of resolv.conf to identify when it "
 "needs to update its internal DNS resolver."
 msgstr ""
+"Contrôle si SSSD doit surveiller l'état de resolv.conf pour identifier quand "
+"il doit mettre à jour son résolveur DNS interne."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:342
@@ -537,6 +593,9 @@ msgid ""
 "changes and will fall back to polling every five seconds if inotify cannot "
 "be used."
 msgstr ""
+"Par défaut, SSSD tentera d'utiliser inotify pour surveiller les "
+"modifications des fichiers de configuration et se rabattra sur un "
+"interrogation toutes les cinq secondes si inotify ne peut pas être utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:351
@@ -611,6 +670,8 @@ msgid ""
 "Please note that this option is deprecated and domain_resolution_order "
 "should be used."
 msgstr ""
+"Veuillez noter que cette option est obsolète et qu'il convient d'utiliser "
+"domain_resolution_order."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:395
@@ -637,6 +698,12 @@ msgid ""
 "is not allowed to use this option together with use_fully_qualified_names "
 "set to False."
 msgstr ""
+"Veuillez noter que si cette option est activée, tous les utilisateurs du "
+"domaine principal devront utiliser leur nom complet (par exemple, "
+"utilisateur@nom.domaine) pour se connecter. L'activation de cette option "
+"modifie la valeur par défaut de `use_fully_qualified_names` et la définit "
+"sur `True`. Il est impossible d'utiliser cette option simultanément avec "
+"`use_fully_qualified_names` défini sur `False`."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:414 sssd-ldap.5.xml:937 sssd-ldap.5.xml:949
@@ -676,6 +743,11 @@ msgid ""
 "character SSSD tries to return the unmodified name but in general the result "
 "of a lookup is undefined."
 msgstr ""
+"Veuillez noter que l'utilisation d'un caractère de remplacement susceptible "
+"d'être utilisé dans les noms d'utilisateurs ou de groupes constitue une "
+"erreur de configuration. Si un nom contient ce caractère, SSSD tente de "
+"renvoyer le nom non modifié, mais le résultat de la recherche est "
+"généralement indéfini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:439
@@ -685,12 +757,12 @@ msgstr "Par défaut : non défini (les espaces ne seront pas remplacées)"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:444
 msgid "certificate_verification (string)"
-msgstr ""
+msgstr "vérification_certificat (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:452
 msgid "no_ocsp"
-msgstr ""
+msgstr "no_ocsp"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:454
@@ -699,11 +771,14 @@ msgid ""
 "needed if the OCSP servers defined in the certificate are not reachable from "
 "the client."
 msgstr ""
+"Désactive les vérifications OCSP (Online Certificate Status Protocol). Cela "
+"peut s'avérer nécessaire si les serveurs OCSP définis dans le certificat ne "
+"sont pas accessibles depuis le client."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:462
 msgid "soft_ocsp"
-msgstr ""
+msgstr "soft_ocsp"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:464
@@ -712,11 +787,14 @@ msgid ""
 "skipped.  This option should be used to allow authentication when the system "
 "is offline and the OCSP responder cannot be reached."
 msgstr ""
+"Si aucune connexion ne peut être établie avec un serveur OCSP, la "
+"vérification OCSP est ignorée. Cette option permet l'authentification "
+"lorsque le système est hors ligne et que le serveur OCSP est inaccessible."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:474
 msgid "ocsp_dgst"
-msgstr ""
+msgstr "ocsp_dgst"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:476
@@ -724,36 +802,40 @@ msgid ""
 "Digest (hash) function used to create the certificate ID for the OCSP "
 "request. Allowed values are:"
 msgstr ""
+"Fonction de hachage utilisée pour créer l'identifiant du certificat pour la "
+"requête OCSP. Les valeurs autorisées sont :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:480
 msgid "sha1"
-msgstr ""
+msgstr "sha1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:481
 msgid "sha256"
-msgstr ""
+msgstr "sha256"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:482
 msgid "sha384"
-msgstr ""
+msgstr "Sha348"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:483
 msgid "sha512"
-msgstr ""
+msgstr "Sha12"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:486
 msgid "Default: sha1 (to allow compatibility with RFC5019-compliant responder)"
 msgstr ""
+"Par défaut : sha1 (pour assurer la compatibilité avec les répondeurs "
+"conformes à la norme RFC5019)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:492
 msgid "no_verification"
-msgstr ""
+msgstr "aucune_vérification"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:494
@@ -761,11 +843,13 @@ msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
+"Désactive complètement la vérification. Cette option ne doit être utilisée "
+"qu'à des fins de test."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:500
 msgid "partial_chain"
-msgstr ""
+msgstr "chaîne partielle"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:502
@@ -774,11 +858,16 @@ msgid ""
 "chain cannot be built to a self-signed trust-anchor, provided it is possible "
 "to construct a chain to a trusted certificate that might not be self-signed."
 msgstr ""
+"Autoriser la vérification à réussir même si une chaîne <replaceable>"
+"complète</replaceable> ne peut pas être construite jusqu'à une ancre de "
+"confiance auto-signée, à condition qu'il soit possible de construire une "
+"chaîne jusqu'à un certificat de confiance qui pourrait ne pas être auto-"
+"signé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:511
 msgid "ocsp_default_responder=URL"
-msgstr ""
+msgstr "ocsp_default_responder=URL"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:513
@@ -787,11 +876,14 @@ msgid ""
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
 "default responder e.g.  http://example.com:80/ocsp."
 msgstr ""
+"Définit le répondeur OCSP par défaut à utiliser à la place de celui "
+"mentionné dans le certificat. L'URL doit être remplacée par celle du "
+"répondeur OCSP par défaut, par exemple : http://example.com:80/ocsp."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:523
 msgid "ocsp_default_responder_signing_cert=NAME"
-msgstr ""
+msgstr "ocsp_default_responder_signing_cert=NOM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:525
@@ -799,11 +891,13 @@ msgid ""
 "This option is currently ignored. All needed certificates must be available "
 "in the PEM file given by pam_cert_db_path."
 msgstr ""
+"Cette option est actuellement ignorée. Tous les certificats nécessaires "
+"doivent être disponibles dans le fichier PEM indiqué par pam_cert_db_path."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:533
 msgid "crl_file=/PATH/TO/CRL/FILE"
-msgstr ""
+msgstr "crl_file=/CHEMIN/VERS/CRL/FICHIER"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:535
@@ -825,7 +919,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:548
 msgid "soft_crl"
-msgstr ""
+msgstr "soft_crl"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:551
@@ -835,6 +929,10 @@ msgid ""
 "This option should be used to allow authentication when the system is "
 "offline and the CRL cannot be renewed."
 msgstr ""
+"Si une liste de révocation de certificats (CRL) a expiré, ignorez sa date "
+"d'expiration et vérifiez les certificats associés à cette CRL expirée. Cette "
+"option permet l'authentification lorsque le système est hors ligne et que la "
+"CRL ne peut être renouvelée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:447
@@ -843,21 +941,26 @@ msgid ""
 "separated list of options. Supported options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Ce paramètre permet de personnaliser la vérification du certificat à l'aide "
+"d'une liste d'options séparées par des virgules. Les options prises en "
+"charge sont : <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:564
 msgid "Unknown options are reported but ignored."
-msgstr ""
+msgstr "Les options inconnues sont signalées mais ignorées."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:567
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
+"Par défaut : non défini, c’est-à-dire que la vérification des certificats "
+"n’est pas restreinte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:573
 msgid "disable_netlink (boolean)"
-msgstr ""
+msgstr "désactiver_netlink (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:576
@@ -865,6 +968,9 @@ msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
+"SSSD s'intègre à l'interface netlink pour surveiller les modifications "
+"apportées aux routes, aux adresses et aux liens, et déclencher certaines "
+"actions."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:581
@@ -872,16 +978,19 @@ msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
+"Les modifications d'état SSSD provoquées par les événements netlink peuvent "
+"être indésirables et peuvent être désactivées en définissant cette option "
+"sur « true »."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:586
 msgid "Default: false (netlink changes are detected)"
-msgstr ""
+msgstr "Par défaut : faux (les modifications du réseau sont détectées)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:591
 msgid "domain_resolution_order"
-msgstr ""
+msgstr "ordre_de_résolution_de_domaine"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:594
@@ -893,6 +1002,12 @@ msgid ""
 "subdomains which are not listed as part of <quote>lookup_order</quote> will "
 "be looked up in a random order for each parent domain."
 msgstr ""
+"Liste de domaines et sous-domaines séparés par des virgules, indiquant "
+"l'ordre de recherche à suivre. Cette liste n'a pas besoin d'être exhaustive, "
+"car les domaines manquants seront recherchés selon l'ordre défini dans "
+"l'option de configuration `<quote>domains</quote>`. Les sous-domaines non "
+"listés dans `<quote>lookup_order</quote>` seront recherchés de manière "
+"aléatoire pour chaque domaine parent."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:606
@@ -909,6 +1024,19 @@ msgid ""
 "domain which uses shortnames, making this workaround totally not recommended "
 "in cases where usernames may overlap between domains."
 msgstr ""
+"Veuillez noter que lorsque cette option est activée, le format de sortie de "
+"toutes les commandes est toujours complet, même avec des noms courts en "
+"entrée. Si l'administrateur souhaite une sortie non complète, l'option "
+"`full_name_format` peut être utilisée comme suit : `<quote>"
+"full_name_format=%1$s</quote>`. Cependant, lors de la connexion, les "
+"applications normalisent souvent le nom d'utilisateur en appelant "
+"`<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</"
+"manvolnum> </citerefentry>`. Si un nom court est renvoyé pour une entrée "
+"qualifiée (lors de la tentative de connexion à un utilisateur présent sur "
+"plusieurs domaines), la tentative de connexion peut être redirigée vers le "
+"domaine utilisant les noms courts. Cette solution est donc fortement "
+"déconseillée lorsque des noms d'utilisateur peuvent se chevaucher entre "
+"plusieurs domaines."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:630 sssd.conf.5.xml:1697 sssd.conf.5.xml:4224
@@ -931,6 +1059,9 @@ msgid ""
 "evaluate and check the PAC. If it has to be disabled set this option to "
 "'false'."
 msgstr ""
+"Le répondeur PAC est activé automatiquement pour permettre au fournisseur "
+"IPA et AD d'évaluer et de vérifier le PAC. Si vous devez le désactiver, "
+"définissez cette option sur « false »."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:649
@@ -947,6 +1078,11 @@ msgid ""
 "passwords. See man page prctl:PR_SET_DUMPABLE on Linux or "
 "procctl:PROC_TRACE_CTL on FreeBSD for details."
 msgstr ""
+"Cette option permet de renforcer la sécurité du système : la désactiver "
+"empêche la création de fichiers core pour tous les processus SSSD afin "
+"d'éviter la divulgation des mots de passe en clair. Consultez la page de "
+"manuel de `prctl:PR_SET_DUMPABLE` sous Linux ou de `procctl:PROC_TRACE_CTL` "
+"sous FreeBSD pour plus de détails."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:660
@@ -956,6 +1092,10 @@ msgid ""
 "data in a memory and their behavior in this regards is governed by /proc/sys/"
 "fs/suid_dumpable system setting."
 msgstr ""
+"Veuillez noter que ce paramètre n'a aucun effet sur 'ldap_child', "
+"'krb5_child' et 'sssd_pam', car ces binaires privilégiés peuvent avoir une "
+"copie des données keytab de l'hôte en mémoire et leur comportement à cet "
+"égard est régi par le paramètre système /proc/sys/fs/suid_dumpable."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:673
@@ -977,6 +1117,9 @@ msgid ""
 "Enable or disable the user verification (i.e. PIN, fingerprint)  during "
 "authentication. If enabled, the PIN will always be requested."
 msgstr ""
+"Activez ou désactivez la vérification de l'utilisateur (code PIN, empreinte "
+"digitale, etc.) lors de l'authentification. Si elle est activée, le code PIN "
+"sera systématiquement demandé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:689
@@ -985,20 +1128,20 @@ msgid ""
 "kerberos pre-authentication case, this value will be overwritten by the "
 "server."
 msgstr ""
+"Par défaut, ce sont les paramètres clés qui déterminent le comportement à "
+"adopter. Dans le cas d'une pré-authentification IPA ou Kerberos, cette "
+"valeur sera remplacée par celle du serveur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:676
-#, fuzzy
-#| msgid ""
-#| "The following expansions are supported: <placeholder "
-#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
 "With this parameter the passkey verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
-"Les expansions suivantes sont prises en charge : <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"Ce paramètre permet de personnaliser la vérification du code d'accès à "
+"l'aide d'une liste d'options séparées par des virgules. Les options prises "
+"en charge sont : <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:213
@@ -1084,13 +1227,16 @@ msgid ""
 "can't be shorter than 10 seconds. If a lower value is configured, it will be "
 "adjusted to 10 seconds."
 msgstr ""
+"Cette option spécifie la durée pendant laquelle un client d'un processus "
+"SSSD peut conserver un descripteur de fichier sans communiquer avec celui-"
+"ci. Cette valeur est limitée afin d'éviter la saturation des ressources "
+"système. Le délai d'expiration ne peut être inférieur à 10 secondes. Si une "
+"valeur inférieure est configurée, elle sera ramenée à 10 secondes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:752
-#, fuzzy
-#| msgid "Default: 300"
 msgid "Default: 60, KCM: 300"
-msgstr "Par défaut : 300"
+msgstr "Valeur par défaut : 60, KCM : 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:757
@@ -1107,6 +1253,12 @@ msgid ""
 "time for the previous ones.  After each unsuccessful attempt to go online, "
 "the new interval is recalculated by the following:"
 msgstr ""
+"Lorsque SSSD passe en mode hors ligne, le délai avant la prochaine tentative "
+"de connexion augmente en fonction de la durée de la déconnexion. Par défaut, "
+"SSSD utilise un calcul incrémentiel pour allonger ce délai. Ainsi, le temps "
+"d'attente pour une nouvelle tentative est plus long que pour les "
+"précédentes. Après chaque tentative infructueuse de connexion, le nouvel "
+"intervalle est recalculé comme suit :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:771 sssd.conf.5.xml:827
@@ -1114,6 +1266,8 @@ msgid ""
 "new_delay = Minimum(old_delay * 2, offline_timeout_max) + "
 "random[0...offline_timeout_random_offset]"
 msgstr ""
+"nouveau_délai = Minimum(ancien_délai * 2, délai_d'inactivité_max) + "
+"aléatoire[0...décalage_aléatoire_d'inactivité]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:774
@@ -1122,6 +1276,10 @@ msgid ""
 "value is 3600.  The offline_timeout_random_offset default value is 30.  The "
 "end result is amount of seconds before next retry."
 msgstr ""
+"La valeur par défaut de offline_timeout est de 60. La valeur par défaut de "
+"offline_timeout_max est de 3600. La valeur par défaut de "
+"offline_timeout_random_offset est de 30. Le résultat final correspond au "
+"nombre de secondes avant la prochaine tentative."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:780
@@ -1129,6 +1287,8 @@ msgid ""
 "Note that the maximum length of each interval is defined by "
 "offline_timeout_max (apart of random part)."
 msgstr ""
+"Notez que la longueur maximale de chaque intervalle est définie par "
+"offline_timeout_max (à l'exception de la partie aléatoire)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:784 sssd.conf.5.xml:1110 sssd.conf.5.xml:1490
@@ -1138,10 +1298,8 @@ msgstr "Par défaut : 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:789
-#, fuzzy
-#| msgid "offline_timeout (integer)"
 msgid "offline_timeout_max (integer)"
-msgstr "offline_timeout (entier)"
+msgstr "délai_d'inactivité_max (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:792
@@ -1149,11 +1307,13 @@ msgid ""
 "Controls by how much the time between attempts to go online can be "
 "incremented following unsuccessful attempts to go online."
 msgstr ""
+"Contrôle la façon dont le délai entre les tentatives de connexion peut être "
+"incrémenté après des tentatives infructueuses."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:797
 msgid "A value of 0 disables the incrementing behaviour."
-msgstr ""
+msgstr "La valeur 0 désactive l'incrémentation."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:800
@@ -1161,6 +1321,8 @@ msgid ""
 "The value of this parameter should be set in correlation to offline_timeout "
 "parameter value."
 msgstr ""
+"La valeur de ce paramètre doit être définie en corrélation avec la valeur du "
+"paramètre offline_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:804
@@ -1170,6 +1332,10 @@ msgid ""
 "rule here should be to set offline_timeout_max to at least 4 times "
 "offline_timeout."
 msgstr ""
+"Avec offline_timeout fixé à 60 (valeur par défaut), il est inutile de "
+"définir offline_timeout_max à moins de 120, car cette valeur sera "
+"immédiatement saturée. En règle générale, il est conseillé de définir "
+"offline_timeout_max à au moins quatre fois la valeur de offline_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:810
@@ -1177,20 +1343,19 @@ msgid ""
 "Although a value between 0 and offline_timeout may be specified, it has the "
 "effect of overriding the offline_timeout value so is of little use."
 msgstr ""
+"Bien qu'une valeur comprise entre 0 et offline_timeout puisse être "
+"spécifiée, elle a pour effet de remplacer la valeur offline_timeout et "
+"s'avère donc peu utile."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:815
-#, fuzzy
-#| msgid "Default: 300"
 msgid "Default: 3600"
-msgstr "Par défaut : 300"
+msgstr "Default: 3600"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:820
-#, fuzzy
-#| msgid "offline_timeout + random_offset"
 msgid "offline_timeout_random_offset (integer)"
-msgstr "offline_timeout + random_offset"
+msgstr "délai_d'inactivité_aléatoire (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:823
@@ -1198,6 +1363,8 @@ msgid ""
 "When SSSD is in offline mode it keeps probing backend servers in specified "
 "time intervals:"
 msgstr ""
+"Lorsque SSSD est en mode hors ligne, il continue d'interroger les serveurs "
+"backend à intervalles de temps spécifiés :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:830
@@ -1205,6 +1372,9 @@ msgid ""
 "This parameter controls the value of the random offset used for the above "
 "equation. Final random_offset value will be random number in range:"
 msgstr ""
+"Ce paramètre contrôle la valeur du décalage aléatoire utilisé pour "
+"l'équation ci-dessus. La valeur finale de random_offset sera un nombre "
+"aléatoire compris dans la plage :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:835
@@ -1216,19 +1386,19 @@ msgstr "offline_timeout + random_offset"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:838
 msgid "A value of 0 disables the random offset addition."
-msgstr ""
+msgstr "La valeur 0 désactive l'ajout de décalage aléatoire."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:841
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30"
-msgstr "Par défaut : 300"
+msgstr "Par défaut : 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:846
 msgid "responder_idle_timeout"
-msgstr ""
+msgstr "La valeur 0 désactive l'ajout de décalage aléatoire."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:849
@@ -1241,6 +1411,12 @@ msgid ""
 "built with systemd support and when services are either socket or D-Bus "
 "activated."
 msgstr ""
+"Cette option spécifie la durée maximale d'inactivité (en secondes) d'un "
+"processus répondeur SSSD. Cette limite est imposée afin d'éviter la "
+"saturation des ressources système. La valeur minimale acceptable est de 60 "
+"secondes. Définir cette option sur 0 (zéro) désactive le délai d'expiration "
+"du répondeur. Cette option n'est effective que si SSSD est compilé avec le "
+"support de systemd et si les services sont activés via socket ou D-Bus."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:863 sssd.conf.5.xml:1123 sssd.conf.5.xml:2248
@@ -1251,7 +1427,7 @@ msgstr "Par défaut : 300"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:868
 msgid "cache_first"
-msgstr ""
+msgstr "cache_first"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:871
@@ -1259,6 +1435,8 @@ msgid ""
 "This option specifies whether the responder should query all caches before "
 "querying the Data Providers."
 msgstr ""
+"Cette option indique si le répondeur doit interroger tous les caches avant "
+"d'interroger les fournisseurs de données."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:883
@@ -1377,6 +1555,11 @@ msgid ""
 "also be set per-domain or include fully-qualified names to filter only users "
 "from the particular domain or by a user principal name (UPN)."
 msgstr ""
+"Excluez certains utilisateurs ou groupes de la base de données NSS. Cette "
+"option est particulièrement utile pour les comptes système. Elle peut être "
+"configurée par domaine ou inclure les noms de domaine complets pour filtrer "
+"uniquement les utilisateurs d'un domaine spécifique ou par nom d'utilisateur "
+"principal (UPN)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:959
@@ -1386,6 +1569,10 @@ msgid ""
 "NSS. E.g. a group having a member group filtered out will still have the "
 "member users of the latter listed."
 msgstr ""
+"REMARQUE : L’option filter_groups n’affecte pas l’héritage des membres de "
+"groupes imbriqués, car le filtrage intervient après leur propagation pour le "
+"retour via NSS. Par exemple, un groupe dont un sous-groupe est exclu "
+"affichera toujours les utilisateurs membres de ce dernier."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:967
@@ -1515,6 +1702,8 @@ msgstr ""
 #: sssd.conf.5.xml:1045
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
+"Le caractère générique (*) peut être utilisé pour autoriser n'importe quel "
+"shell."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1048
@@ -1523,6 +1712,10 @@ msgid ""
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
 "allowed shells in allowed_shells would be to much overhead."
 msgstr ""
+"L'astérisque (*) est utile si vous souhaitez utiliser shell_fallback au cas "
+"où le shell de cet utilisateur ne se trouverait pas dans <quote>/etc/shells</"
+"quote> et que la maintenance d'une liste de tous les shells autorisés dans "
+"allowed_shells représenterait une surcharge trop importante."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1055
@@ -1619,10 +1812,8 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1115
-#, fuzzy
-#| msgid "enum_cache_timeout (integer)"
 msgid "memcache_timeout (integer)"
-msgstr "enum_cache_timeout (entier)"
+msgstr "memcache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1118
@@ -1630,6 +1821,8 @@ msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid. Setting this option to zero will disable the in-memory cache."
 msgstr ""
+"Spécifie la durée, en secondes, de validité des enregistrements dans le "
+"cache en mémoire. Définir cette option à zéro désactive le cache en mémoire."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1126
@@ -1637,6 +1830,9 @@ msgid ""
 "WARNING: Disabling the in-memory cache will have significant negative impact "
 "on SSSD's performance and should only be used for testing."
 msgstr ""
+"AVERTISSEMENT : La désactivation du cache en mémoire aura un impact négatif "
+"important sur les performances de SSSD et ne doit être utilisée qu’à des "
+"fins de test."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1132 sssd.conf.5.xml:1157 sssd.conf.5.xml:1182
@@ -1645,6 +1841,9 @@ msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
+"REMARQUE : Si la variable d'environnement SSS_NSS_USE_MEMCACHE est définie "
+"sur « NO », les applications clientes n'utiliseront pas le cache en mémoire "
+"rapide."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1140
@@ -1660,6 +1859,9 @@ msgid ""
 "for passwd requests.  Setting the size to 0 will disable the passwd in-"
 "memory cache."
 msgstr ""
+"Taille (en mégaoctets) de la table de données allouée dans le cache mémoire "
+"rapide pour les requêtes passwd. Définir cette taille à 0 désactive le cache "
+"mémoire passwd."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1149 sssd.conf.5.xml:2888 sssd-ldap.5.xml:604
@@ -1673,6 +1875,8 @@ msgid ""
 "WARNING: Disabled or too small in-memory cache can have significant negative "
 "impact on SSSD's performance."
 msgstr ""
+"AVERTISSEMENT : Un cache en mémoire désactivé ou trop petit peut avoir un "
+"impact négatif important sur les performances de SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1165
@@ -1688,6 +1892,9 @@ msgid ""
 "for group requests.  Setting the size to 0 will disable the group in-memory "
 "cache."
 msgstr ""
+"Taille (en mégaoctets) de la table de données allouée dans le cache mémoire "
+"rapide pour les requêtes groupées. Définir cette taille à 0 désactive le "
+"cache mémoire groupé."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1174 sssd.conf.5.xml:1226 sssd.conf.5.xml:3656
@@ -1710,6 +1917,9 @@ msgid ""
 "for initgroups requests.  Setting the size to 0 will disable the initgroups "
 "in-memory cache."
 msgstr ""
+"Taille (en mégaoctets) de la table de données allouée dans le cache mémoire "
+"rapide pour les requêtes initgroups. Définir cette taille à 0 désactive le "
+"cache mémoire des initgroups."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1215
@@ -1726,6 +1936,10 @@ msgid ""
 "currently cached in fast in-memory cache.  Setting the size to 0 will "
 "disable the SID in-memory cache."
 msgstr ""
+"Taille (en mégaoctets) de la table de données allouée dans le cache mémoire "
+"rapide pour les requêtes liées au SID. Seules les requêtes SID-by-ID et ID-"
+"by-SID sont actuellement mises en cache. Définir la taille à 0 désactivera "
+"le cache mémoire des SID."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1242 sssd-ifp.5.xml:90
@@ -1742,6 +1956,11 @@ msgid ""
 "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
 "manvolnum> </citerefentry> for details) but with no default values."
 msgstr ""
+"Certaines requêtes supplémentaires du répondeur NSS peuvent renvoyer plus "
+"d'attributs que ceux définis par l'interface NSS au format POSIX. La liste "
+"des attributs est contrôlée par cette option. Elle est gérée de la même "
+"manière que l'option `user_attributes` du répondeur InfoPipe (voir `sssd-"
+"ifp` pour plus de détails), mais sans valeurs par défaut."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1258
@@ -1749,6 +1968,8 @@ msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
+"Pour simplifier la configuration, le répondeur NSS vérifiera l'option "
+"InfoPipe si elle n'est pas définie pour le répondeur NSS."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1263
@@ -1758,7 +1979,7 @@ msgstr "Par défaut : non défini, repli sur l'option InfoPipe"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1268
 msgid "pwfield (string)"
-msgstr ""
+msgstr "pwfield (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1271
@@ -1766,13 +1987,15 @@ msgid ""
 "The value that NSS operations that return users or groups will return for "
 "the <quote>password</quote> field."
 msgstr ""
+"La valeur que les opérations NSS qui renvoient des utilisateurs ou des "
+"groupes renverront pour le champ <quote>mot de passe</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1276
 #, fuzzy
 #| msgid "Default: <quote>permit</quote>"
 msgid "Default: <quote>*</quote>"
-msgstr "Par défaut : <quote>permit</quote>"
+msgstr "Par défaut : <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1279
@@ -1789,6 +2012,8 @@ msgid ""
 "Default: <quote>not set</quote> (remote domains), <quote>x</quote> (proxy "
 "domain with nss_files and sssd-shadowutils target)"
 msgstr ""
+"Par défaut : <quote>non défini</quote> (domaines distants), <quote>x</quote> "
+"(domaine proxy avec nss_files et cible sssd-shadowutils)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:1292
@@ -1931,6 +2156,11 @@ msgid ""
 "responses sent to pam_sss e.g. messages displayed to the user or environment "
 "variables which should be set by pam_sss."
 msgstr ""
+"Une liste de chaînes de caractères séparées par des virgules permettant de "
+"supprimer (filtrer) les données envoyées par le répondeur PAM au module PAM "
+"pam_sss. Différents types de réponses sont envoyés à pam_sss, par exemple "
+"des messages affichés à l'utilisateur ou des variables d'environnement que "
+"pam_sss doit définir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1388
@@ -1938,36 +2168,39 @@ msgid ""
 "While messages already can be controlled with the help of the pam_verbosity "
 "option this option allows to filter out other kind of responses as well."
 msgstr ""
+"Bien que les messages puissent déjà être contrôlés grâce à l'option "
+"pam_verbosity, cette option permet également de filtrer d'autres types de "
+"réponses."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1395
 msgid "ENV"
-msgstr ""
+msgstr "ENV"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1396
 msgid "Do not send any environment variables to any service."
-msgstr ""
+msgstr "N'envoyez aucune variable d'environnement à aucun service."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1399
 msgid "ENV:var_name"
-msgstr ""
+msgstr "ENV:var_name"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1400
 msgid "Do not send environment variable var_name to any service."
-msgstr ""
+msgstr "Ne transmettez la variable d'environnement var_name à aucun service."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1404
 msgid "ENV:var_name:service"
-msgstr ""
+msgstr "ENV:var_name:service"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1405
 msgid "Do not send environment variable var_name to service."
-msgstr ""
+msgstr "Ne transmettez pas la variable d'environnement var_name au service."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1393
@@ -1975,6 +2208,8 @@ msgid ""
 "Currently the following filters are supported: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Les filtres suivants sont actuellement pris en charge : <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1412
@@ -1986,17 +2221,24 @@ msgid ""
 "that either all list elements must have a '+' or '-' prefix or none. It is "
 "considered as an error to mix both styles."
 msgstr ""
+"La liste de chaînes de caractères peut soit constituer la liste des filtres, "
+"qui définira cette liste et remplacera les valeurs par défaut, soit être "
+"précédée d'un caractère « + » ou « - » pour ajouter ou supprimer le filtre "
+"des valeurs par défaut existantes. Veuillez noter que tous les éléments de "
+"la liste doivent être précédés d'un « + » ou d'un « - », ou aucun. Mélanger "
+"les deux styles est considéré comme une erreur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1423
 msgid "Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i"
-msgstr ""
+msgstr "Valeur par défaut : ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1426
 msgid ""
 "Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default list"
 msgstr ""
+"Exemple : -ENV:KRB5CCNAME:sudo-i supprimera le filtre de la liste par défaut"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1433
@@ -2089,11 +2331,17 @@ msgid ""
 "<quote>pam_public_domains</quote>.  User names are resolved to UIDs at "
 "startup."
 msgstr ""
+"Spécifie la liste, séparée par des virgules, des UID ou des noms "
+"d'utilisateur autorisés à effectuer des conversations PAM sur les domaines "
+"de confiance. Les utilisateurs non inclus dans cette liste peuvent "
+"uniquement accéder aux domaines marqués comme publics avec "
+"`pam_public_domains`. Les noms d'utilisateur sont résolus en UID au "
+"démarrage."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1508
 msgid "Default: All users are considered trusted by default"
-msgstr ""
+msgstr "Par défaut : Tous les utilisateurs sont considérés comme fiables."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1512
@@ -2101,6 +2349,8 @@ msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
+"Veuillez noter que l'UID 0 est toujours autorisé à accéder au répondeur PAM "
+"même s'il ne figure pas dans la liste pam_trusted_users."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1519
@@ -2113,6 +2363,8 @@ msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
+"Spécifie la liste, séparée par des virgules, des noms de domaine accessibles "
+"même aux utilisateurs non fiables."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1526
@@ -2153,6 +2405,8 @@ msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
+"Permet de définir un message d'expiration personnalisé, remplaçant le "
+"message par défaut « Permission refusée »."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1551
@@ -2160,6 +2414,9 @@ msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbosity is set to 3 (show all messages and debug information)."
 msgstr ""
+"Remarque : Veuillez noter que ce message n'est imprimé que pour le service "
+"SSH, sauf si pam_verbosity est défini sur 3 (afficher tous les messages et "
+"les informations de débogage)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1559
@@ -2168,11 +2425,14 @@ msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
 "                            "
 msgstr ""
+"pam_account_expired_message = Compte expiré, veuillez contacter le service "
+"d'assistance.\n"
+"                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1568
 msgid "pam_account_locked_message (string)"
-msgstr ""
+msgstr "pam_account_locked_message (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1571
@@ -2180,6 +2440,8 @@ msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
+"Permet de définir un message de verrouillage personnalisé, remplaçant le "
+"message par défaut « Permission refusée »."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1578
@@ -2188,6 +2450,9 @@ msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
 "                            "
 msgstr ""
+"pam_account_locked_message = Compte verrouillé, veuillez contacter le "
+"service d'assistance.\n"
+"                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1587
@@ -2199,7 +2464,7 @@ msgstr "ldap_chpass_update_last_change (bool)"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1590
 msgid "Enable passkey device based authentication."
-msgstr ""
+msgstr "Activer l'authentification par clé d'accès."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1593 sssd.conf.5.xml:1910 sssd-ad.5.xml:1286
@@ -2210,12 +2475,12 @@ msgstr "Par défaut : True"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1598
 msgid "passkey_debug_libfido2 (bool)"
-msgstr ""
+msgstr "débogage de la clé d'accès libfido2 (livre)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1601
 msgid "Enable libfido2 library debug messages."
-msgstr ""
+msgstr "Activer les messages de débogage de la bibliothèque libfido2."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1604 sssd.conf.5.xml:1618 sssd-ldap.5.xml:727
@@ -2228,7 +2493,7 @@ msgstr "Par défaut : False"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1609
 msgid "pam_cert_auth (bool)"
-msgstr ""
+msgstr "pam_cert_auth (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1612
@@ -2237,21 +2502,24 @@ msgid ""
 "additional communication with the Smartcard which will delay the "
 "authentication process this option is disabled by default."
 msgstr ""
+"Activer l'authentification par carte à puce basée sur un certificat. Cette "
+"option, qui nécessite une communication supplémentaire avec la carte à puce "
+"et ralentit le processus d'authentification, est désactivée par défaut."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1623
 msgid "pam_cert_db_path (string)"
-msgstr ""
+msgstr "pam_cert_db_path (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1626
 msgid "The path to the certificate database."
-msgstr ""
+msgstr "Le chemin d'accès à la base de données des certificats."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1629 sssd.conf.5.xml:2163 sssd.conf.5.xml:4338
 msgid "Default:"
-msgstr ""
+msgstr "Défaut:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1631 sssd.conf.5.xml:2165
@@ -2259,6 +2527,8 @@ msgid ""
 "/etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted CA "
 "certificates in PEM format)"
 msgstr ""
+"/etc/sssd/pki/sssd_auth_ca_db.pem (chemin d'accès à un fichier contenant les "
+"certificats d'autorité de certification de confiance au format PEM)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1641
@@ -2276,13 +2546,14 @@ msgid ""
 "section.  Supported options are the same of <quote>certificate_verification</"
 "quote>."
 msgstr ""
+"Ce paramètre permet de configurer la vérification du certificat PAM à l'aide "
+"d'une liste d'options séparées par des virgules, qui remplacent la valeur de "
+"`certificate_verification` dans la section `[sssd]`. Les options prises en "
+"charge sont les mêmes que celles de `certificate_verification`."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1655
-#, fuzzy, no-wrap
-#| msgid ""
-#| "subdomain_inherit = ldap_purge_cache_timeout\n"
-#| "                            "
+#, no-wrap
 msgid ""
 "pam_cert_verification = partial_chain\n"
 "                            "
@@ -2296,16 +2567,21 @@ msgid ""
 "Default: not set, i.e. use default <quote>certificate_verification</quote> "
 "option defined in <quote>[sssd]</quote> section."
 msgstr ""
+"Ce paramètre permet de configurer la vérification du certificat PAM à l'aide "
+"d'une liste d'options séparées par des virgules, qui remplacent la valeur de "
+"`certificate_verification` dans la section `[sssd]`. Les options prises en "
+"charge sont les mêmes que celles de `certificate_verification`."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1666
 msgid "p11_child_timeout (integer)"
-msgstr ""
+msgstr "p11_child_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1669
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
+"Combien de secondes pam_sss attendra-t-elle pour que p11_child ait terminé ?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1678
@@ -2319,25 +2595,24 @@ msgstr "pam_id_timeout (entier)"
 msgid ""
 "How many seconds will the PAM responder wait for passkey_child to finish."
 msgstr ""
+"Combien de secondes pam_sss attendra-t-elle pour que p11_child ait terminé ?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1690
 msgid "pam_app_services (string)"
-msgstr ""
+msgstr "pam_app_services (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1693
 msgid ""
 "Which PAM services are permitted to contact domains of type "
 "<quote>application</quote>"
-msgstr ""
+msgstr "pam_app_services (chaîne de caractères)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1702
-#, fuzzy
-#| msgid "ad_gpo_map_service (string)"
 msgid "pam_p11_allowed_services (string)"
-msgstr "ad_gpo_map_service (chaîne)"
+msgstr "pam_p11_allowed_services (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1705
@@ -2345,6 +2620,8 @@ msgid ""
 "A comma-separated list of PAM service names for which it will be allowed to "
 "use Smartcards."
 msgstr ""
+"Liste, séparée par des virgules, des noms de services PAM pour lesquels "
+"l'utilisation de cartes à puce sera autorisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1720
@@ -2353,6 +2630,8 @@ msgid ""
 "pam_p11_allowed_services = +my_pam_service, -login\n"
 "                            "
 msgstr ""
+"pam_p11_allowed_services = +my_pam_service, -login\n"
+"                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1709
@@ -2365,67 +2644,75 @@ msgid ""
 "<quote>my_pam_service</quote>), you would use the following configuration: "
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
+"Il est possible d'ajouter un autre nom de service PAM à l'ensemble par "
+"défaut en utilisant `<quote>+nom_du_service</quote>` ou de supprimer "
+"explicitement un nom de service PAM de l'ensemble par défaut en utilisant "
+"`<quote>-nom_du_service</quote>`. Par exemple, pour remplacer le nom de "
+"service PAM par défaut pour l'authentification par carte à puce (par "
+"exemple, `<quote>login</quote>`) par un nom de service PAM personnalisé (par "
+"exemple, `<quote>mon_service_PAM</quote>`), vous utiliserez la configuration "
+"suivante : `<placeholder type=\"programlisting\" id=\"0\"/>`"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1724 sssd-ad.5.xml:645 sssd-ad.5.xml:754 sssd-ad.5.xml:812
 #: sssd-ad.5.xml:870 sssd-ad.5.xml:948
 msgid "Default: the default set of PAM service names includes:"
-msgstr ""
+msgstr "Default: the default set of PAM service names includes:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1729 sssd-ad.5.xml:649
 msgid "login"
-msgstr ""
+msgstr "se connecter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1734 sssd-ad.5.xml:654
 msgid "su"
-msgstr ""
+msgstr "sur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1739 sssd-ad.5.xml:659
 msgid "su-l"
-msgstr ""
+msgstr "sur le"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1744 sssd-ad.5.xml:674
 msgid "gdm-smartcard"
-msgstr ""
+msgstr "carte à puce gdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1749 sssd-ad.5.xml:669
 msgid "gdm-password"
-msgstr ""
+msgstr "carte à puce gdm"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1754
 msgid "gdm-switchable-auth"
-msgstr ""
+msgstr "Authentification commutable gdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1759 sssd-ad.5.xml:679
 msgid "kdm"
-msgstr ""
+msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1764 sssd-ad.5.xml:957
 msgid "sudo"
-msgstr ""
+msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1769 sssd-ad.5.xml:962
 msgid "sudo-i"
-msgstr ""
+msgstr "sudo-i"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1774
 msgid "gnome-screensaver"
-msgstr ""
+msgstr "économiseur d'écran gnome"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1782
 msgid "p11_wait_for_card_timeout (integer)"
-msgstr ""
+msgstr "p11_wait_for_card_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1785
@@ -2434,11 +2721,14 @@ msgid ""
 "to p11_child_timeout should the PAM responder wait until a Smartcard is "
 "inserted."
 msgstr ""
+"Si l'authentification par carte à puce est requise, combien de secondes "
+"supplémentaires, en plus de p11_child_timeout, le répondeur PAM doit-il "
+"attendre avant qu'une carte à puce soit insérée ?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1796
 msgid "p11_uri (string)"
-msgstr ""
+msgstr "p11_uri (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1799
@@ -2450,6 +2740,13 @@ msgid ""
 "first slot found. If multiple readers are connected p11_uri can be used to "
 "tell p11_child to use a specific reader."
 msgstr ""
+"L'URI PKCS#11 (voir RFC-7512 pour plus de détails) permet de limiter la "
+"sélection des périphériques utilisés pour l'authentification par carte à "
+"puce. Par défaut, le composant p11_child de SSSD recherche un emplacement "
+"PKCS#11 (lecteur) où l'indicateur « amovible » est activé et lit les "
+"certificats du jeton inséré à partir du premier emplacement trouvé. Si "
+"plusieurs lecteurs sont connectés, l'URI PKCS#11 peut être utilisée pour "
+"indiquer à p11_child d'utiliser un lecteur spécifique."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1812
@@ -2458,6 +2755,8 @@ msgid ""
 "p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader\n"
 "                            "
 msgstr ""
+"p11_uri = pkcs11:slot-description=Mon%20lecteur%20de%20cartes%20à%puce\n"
+"                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1816
@@ -2466,6 +2765,9 @@ msgid ""
 "p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2\n"
 "                            "
 msgstr ""
+"p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-"
+"id=2\n"
+"                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1810
@@ -2475,27 +2777,34 @@ msgid ""
 "debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' "
 "with e.g. the '--list-all' will show PKCS#11 URIs as well."
 msgstr ""
+"Exemple : `<placeholder type=\"programlisting\" id=\"0\"/>` ou `<placeholder "
+"type=\"programlisting\" id=\"1\"/>`. Pour trouver l'URI appropriée, veuillez "
+"consulter la sortie de débogage de `p11_child`. Vous pouvez également "
+"utiliser l'utilitaire GnuTLS `p11tool` avec l'option `--list-all`, par "
+"exemple, pour afficher les URI PKCS#11."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1829
 msgid "pam_initgroups_scheme"
-msgstr ""
+msgstr "schéma pam_initgroups"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1837
 msgid "always"
-msgstr ""
+msgstr "toujours"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1838
 msgid ""
 "Always do an online lookup, please note that pam_id_timeout still applies"
 msgstr ""
+"Veuillez toujours effectuer une recherche en ligne. Notez que le délai "
+"d'expiration de l'identifiant PAM (pam_id_timeout) reste applicable."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1842
 msgid "no_session"
-msgstr ""
+msgstr "aucune session"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1843
@@ -2503,11 +2812,13 @@ msgid ""
 "Only do an online lookup if there is no active session of the user, i.e. if "
 "the user is currently not logged in"
 msgstr ""
+"N’effectuez une recherche en ligne que si l’utilisateur n’a pas de session "
+"active, c’est-à-dire s’il n’est pas connecté."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1848 sssd-ldap.5.xml:189
 msgid "never"
-msgstr ""
+msgstr "jamais"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1849
@@ -2515,6 +2826,8 @@ msgid ""
 "Never force an online lookup, use the data from the cache as long as they "
 "are not expired"
 msgstr ""
+"Ne jamais forcer une recherche en ligne, utiliser les données du cache tant "
+"qu'elles ne sont pas expirées."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1832
@@ -2524,11 +2837,16 @@ msgid ""
 "should be done and the following values are allowed: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Le répondeur PAM peut forcer une recherche en ligne pour obtenir les "
+"appartenances aux groupes actuelles de l'utilisateur qui tente de se "
+"connecter. Cette option détermine quand cette recherche doit être effectuée "
+"et les valeurs suivantes sont autorisées : <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1856
 msgid "Default: no_session"
-msgstr ""
+msgstr "Par défaut : aucune session"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:1861 sssd.conf.5.xml:4277
@@ -2539,18 +2857,20 @@ msgstr "ad_gpo_map_service (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1864
-#, fuzzy
-#| msgid "Comma separated list of users who are allowed to log in."
 msgid ""
 "Comma separated list of PAM services that are allowed to try GSSAPI "
 "authentication using pam_sss_gss.so module."
-msgstr "Liste séparée par des virgules d'utilisateurs autorisés à se connecter."
+msgstr ""
+"Liste, séparée par des virgules, des services PAM autorisés à tenter "
+"l'authentification GSSAPI à l'aide du module pam_sss_gss.so."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1869
 msgid ""
 "To disable GSSAPI authentication, set this option to <quote>-</quote> (dash)."
 msgstr ""
+"Pour désactiver l'authentification GSSAPI, définissez cette option sur "
+"<quote>-</quote> (tiret)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1873 sssd.conf.5.xml:1904 sssd.conf.5.xml:1942
@@ -2559,6 +2879,9 @@ msgid ""
 "[pam] section. It can also be set for trusted domain which overwrites the "
 "value in the domain section."
 msgstr ""
+"Remarque : Cette option peut également être définie par domaine, remplaçant "
+"ainsi la valeur de la section [pam]. Elle peut aussi être définie pour un "
+"domaine de confiance, remplaçant alors la valeur de la section « domaine »."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1881
@@ -2581,12 +2904,12 @@ msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1885
 msgid "Default: - (GSSAPI authentication is disabled)"
-msgstr ""
+msgstr "Par défaut : - (l’authentification GSSAPI est désactivée)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:1890 sssd.conf.5.xml:4278
 msgid "pam_gssapi_check_upn"
-msgstr ""
+msgstr "Vérification de Pam_Gaspi"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1893
@@ -2595,6 +2918,10 @@ msgid ""
 "successfully authenticated through GSSAPI can be associated with the user "
 "who is being authenticated. Authentication will fail if the check fails."
 msgstr ""
+"Si cette option est activée, SSSD exigera que le principal utilisateur "
+"Kerberos ayant réussi l'authentification via GSSAPI soit associé à "
+"l'utilisateur en cours d'authentification. L'authentification échouera en "
+"cas d'échec de cette vérification."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1900
@@ -2602,11 +2929,13 @@ msgid ""
 "If False, every user that is able to obtained required service ticket will "
 "be authenticated."
 msgstr ""
+"Si la valeur est fausse, chaque utilisateur capable d'obtenir le ticket de "
+"service requis sera authentifié."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1915
 msgid "pam_gssapi_indicators_map"
-msgstr ""
+msgstr "pam_gssapi_indicators_map"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1918
@@ -2615,6 +2944,9 @@ msgid ""
 "a Kerberos ticket to access a PAM service that is allowed to try GSSAPI "
 "authentication using pam_sss_gss.so module."
 msgstr ""
+"Liste séparée par des virgules des indicateurs d'authentification requis "
+"dans un ticket Kerberos pour accéder à un service PAM autorisé à tenter une "
+"authentification GSSAPI à l'aide du module pam_sss_gss.so."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1924
@@ -2630,6 +2962,17 @@ msgid ""
 "be denied. If the resulting list of indicators for the PAM service is empty, "
 "the check will not prevent the access."
 msgstr ""
+"Chaque élément de la liste peut être soit le nom d'un indicateur "
+"d'authentification, soit une paire <quote>service:indicateur</quote>. Les "
+"indicateurs non préfixés par le nom du service PAM sont requis pour accéder "
+"à tout service PAM configuré pour être utilisé avec <option>"
+"pam_gssapi_services</option>. La liste d'indicateurs résultante pour chaque "
+"service PAM est ensuite comparée aux indicateurs du ticket Kerberos lors de "
+"l'authentification par pam_sss_gss.so. Tout indicateur du ticket "
+"correspondant à la liste d'indicateurs résultante pour le service PAM "
+"autorise l'accès. Si aucun indicateur de la liste ne correspond, l'accès est "
+"refusé. Si la liste d'indicateurs résultante pour le service PAM est vide, "
+"la vérification n'empêche pas l'accès."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1937
@@ -2638,6 +2981,10 @@ msgid ""
 "</quote> (dash). To disable the check for a specific PAM service, add "
 "<quote>service:-</quote>."
 msgstr ""
+"Pour désactiver la vérification de l'indicateur d'authentification GSSAPI, "
+"définissez cette option sur <quote>-</quote> (tiret). Pour désactiver la "
+"vérification pour un service PAM spécifique, ajoutez <quote>service:-</quote>"
+"."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1948
@@ -2645,6 +2992,8 @@ msgid ""
 "Following authentication indicators are supported by IPA Kerberos "
 "deployments:"
 msgstr ""
+"Les indicateurs d'authentification suivants sont pris en charge par les "
+"déploiements IPA Kerberos :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1951
@@ -2652,6 +3001,8 @@ msgid ""
 "pkinit -- pre-authentication using X.509 certificates -- whether stored in "
 "files or on smart cards."
 msgstr ""
+"pkinit -- pré-authentification utilisant des certificats X.509 -- qu'ils "
+"soient stockés dans des fichiers ou sur des cartes à puce."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1954
@@ -2659,11 +3010,15 @@ msgid ""
 "hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a "
 "FAST channel."
 msgstr ""
+"durci -- pré-authentification SPAKE ou toute pré-authentification enveloppée "
+"dans un canal FAST."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1957
 msgid "radius -- pre-authentication with the help of a RADIUS server."
 msgstr ""
+"durci -- pré-authentification SPAKE ou toute pré-authentification enveloppée "
+"dans un canal FAST."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1960
@@ -2671,11 +3026,13 @@ msgid ""
 "otp -- pre-authentication using integrated two-factor authentication (2FA or "
 "one-time password, OTP) in IPA."
 msgstr ""
+"otp -- pré-authentification utilisant l'authentification à deux facteurs "
+"intégrée (2FA ou mot de passe à usage unique, OTP) dans IPA."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:1963
 msgid "idp -- pre-authentication using external identity provider."
-msgstr ""
+msgstr "idp -- pré-authentification via un fournisseur d'identité externe."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1973
@@ -2684,6 +3041,8 @@ msgid ""
 "pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n"
 "                            "
 msgstr ""
+"pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n"
+"                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1968
@@ -2692,6 +3051,10 @@ msgid ""
 "their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT), "
 "set <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
+"Exemple : pour limiter l’accès aux services SUDO aux seuls utilisateurs "
+"ayant obtenu leur ticket Kerberos avec une pré-authentification par "
+"certificat X.509 (PKINIT), définissez <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1977
@@ -2699,7 +3062,7 @@ msgstr ""
 #| msgid "Default: not set (no substitution for unset home directories)"
 msgid "Default: not set (use of authentication indicators is not required)"
 msgstr ""
-"Par défaut : non défini (aucune substitution pour les répertoires d'accueil "
+"Par défaut : non défini (aucune substitution pour les répertoires d'accueil "
 "non définis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
@@ -2711,17 +3074,19 @@ msgstr "ad_gpo_map_service (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1985
-#, fuzzy
-#| msgid "Comma separated list of users who are allowed to log in."
 msgid ""
 "Comma separated list of PAM services which can handle the JSON protocol for "
 "selecting authentication mechanisms"
-msgstr "Liste séparée par des virgules d'utilisateurs autorisés à se connecter."
+msgstr ""
+"Liste, séparée par des virgules, des services PAM capables de gérer le "
+"protocole JSON pour la sélection des mécanismes d'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1990
 msgid "To disable JSON protocol, set this option to <quote>-</quote> (dash)."
 msgstr ""
+"Pour désactiver le protocole JSON, définissez cette option sur <quote>-</"
+"quote> (tiret)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1996
@@ -2749,6 +3114,8 @@ msgid ""
 "Note: 2-Factor Authentication (2FA) is not supported. If 2FA is required, do "
 "not activate the JSON protocol."
 msgstr ""
+"Remarque : L’authentification à deux facteurs (2FA) n’est pas prise en "
+"charge. Si la 2FA est requise, n’activez pas le protocole JSON."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:2013
@@ -2789,7 +3156,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2047
 msgid "sudo_threshold (integer)"
-msgstr ""
+msgstr "sudo_threshold (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2050
@@ -2800,6 +3167,12 @@ msgid ""
 "<quote>full refresh</quote> of sudo rules is triggered instead. This "
 "threshold number also applies to IPA sudo command and command group searches."
 msgstr ""
+"Nombre maximal de règles expirées pouvant être actualisées simultanément. Si "
+"ce nombre est inférieur au seuil, les règles sont actualisées via le "
+"mécanisme d'actualisation des règles. Si le seuil est dépassé, une "
+"actualisation complète des règles sudo est déclenchée. Ce seuil s'applique "
+"également aux recherches de commandes et de groupes de commandes sudo dans "
+"l'API IPA."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:2069
@@ -2842,7 +3215,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2100
 msgid "ssh_use_certificate_keys (bool)"
-msgstr ""
+msgstr "ssh_use_certificate_keys (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2103
@@ -2852,11 +3225,16 @@ msgid ""
 "entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</"
 "refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details."
 msgstr ""
+"Si la valeur est définie sur « true », la commande `sss_ssh_authorizedkeys` "
+"renverra également les clés SSH dérivées de la clé publique des certificats "
+"X.509 stockés dans l'entrée utilisateur. Voir `<citerefentry><refentrytitle>"
+"sss_ssh_authorizedkeys</refentrytitle><manvolnum>1</manvolnum></citerefentry>"
+"` pour plus de détails."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2118
 msgid "ssh_use_certificate_matching_rules (string)"
-msgstr ""
+msgstr "ssh_use_certificate_matching_rules (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2121
@@ -2867,6 +3245,11 @@ msgid ""
 "comma separated list of mapping and matching rule names. All other rules "
 "will be ignored."
 msgstr ""
+"Par défaut, le serveur SSH utilise toutes les règles de correspondance de "
+"certificats disponibles pour filtrer les certificats et ne dériver que des "
+"certificats correspondants. Cette option permet de limiter les règles "
+"utilisées à l'aide d'une liste de noms de règles de correspondance séparés "
+"par des virgules. Toutes les autres règles seront ignorées."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2130
@@ -2875,6 +3258,10 @@ msgid ""
 "all or no rules, respectively. The latter means that no certificates will be "
 "filtered out and ssh keys will be generated from all valid certificates."
 msgstr ""
+"Deux mots clés spéciaux, « all_rules » et « no_rules », permettent "
+"respectivement d'activer toutes les règles ou de les désactiver. L'option « "
+"no_rules » signifie qu'aucun certificat ne sera filtré et que les clés SSH "
+"seront générées à partir de tous les certificats valides."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2137
@@ -2884,6 +3271,10 @@ msgid ""
 "the same behavior as for the PAM responder if certificate authentication is "
 "enabled."
 msgstr ""
+"Si aucune règle n'est configurée, l'option « all_rules » active une règle "
+"par défaut autorisant tous les certificats compatibles avec "
+"l'authentification du client. Ce comportement est identique à celui du "
+"répondeur PAM lorsque l'authentification par certificat est activée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2144
@@ -2891,6 +3282,9 @@ msgid ""
 "A non-existing rule name is considered an error.  If as a result no rule is "
 "selected all certificates will be ignored."
 msgstr ""
+"Un nom de règle inexistant est considéré comme une erreur. Si, par "
+"conséquent, aucune règle n'est sélectionnée, tous les certificats seront "
+"ignorés."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2149
@@ -2898,11 +3292,13 @@ msgid ""
 "Default: not set, equivalent to 'all_rules', all found rules or the default "
 "rule are used"
 msgstr ""
+"Valeur par défaut : non définie, équivalent à « all_rules », toutes les "
+"règles trouvées ou la règle par défaut sont utilisées"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2155
 msgid "ca_db (string)"
-msgstr ""
+msgstr "ca_db (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2158
@@ -2910,6 +3306,9 @@ msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
+"Chemin d'accès à un répertoire de certificats d'autorité de certification de "
+"confiance. Cette option permet de valider les certificats utilisateur avant "
+"d'en dériver les clés SSH publiques."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:2178
@@ -2926,6 +3325,13 @@ msgid ""
 "joined to and of remote trusted domains from the local domain controller. If "
 "the PAC is decoded and evaluated some of the following operations are done:"
 msgstr ""
+"Le répondeur PAC fonctionne conjointement avec le plugin de données "
+"d'autorisation pour MIT Kerberos sssd_pac_plugin.so et un fournisseur de "
+"sous-domaine. Le plugin envoie les données PAC au répondeur PAC lors d'une "
+"authentification GSSAPI. Le fournisseur de sous-domaine collecte les plages "
+"SID et ID du domaine auquel le client est rattaché, ainsi que celles des "
+"domaines distants de confiance, auprès du contrôleur de domaine local. Si le "
+"PAC est décodé et évalué, les opérations suivantes sont effectuées :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:2189
@@ -2937,6 +3343,12 @@ msgid ""
 "the system defaults are used, but can be overwritten with the default_shell "
 "parameter."
 msgstr ""
+"Si l'utilisateur distant n'est pas présent dans le cache, il est créé. L'UID "
+"est déterminé à l'aide du SID ; les domaines de confiance possèdent un UPG "
+"et le GID a la même valeur que l'UID. Le répertoire personnel est défini en "
+"fonction du paramètre `subdomain_homedir`. Par défaut, l'interpréteur de "
+"commandes est vide (les commandes système par défaut sont utilisées), mais "
+"il est possible de le remplacer avec le paramètre `default_shell`."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:2197
@@ -3024,7 +3436,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2240
 msgid "pac_lifetime (integer)"
-msgstr ""
+msgstr "pac_lifetime (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2243
@@ -3032,6 +3444,9 @@ msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
+"Durée de vie de l'entrée PAC en secondes. Tant que le PAC est valide, ses "
+"données peuvent être utilisées pour déterminer les groupes auxquels "
+"appartient un utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2253
@@ -3050,6 +3465,13 @@ msgid ""
 "IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will "
 "be skipped."
 msgstr ""
+"Effectuez des vérifications supplémentaires sur le PAC du ticket Kerberos, "
+"disponible dans les domaines Active Directory et FreeIPA, le cas échéant. "
+"Veuillez noter que la validation du ticket Kerberos doit être activée pour "
+"pouvoir vérifier le PAC ; autrement dit, l’option `krb5_validate` doit être "
+"définie sur « True », valeur par défaut pour les fournisseurs IPA et AD. Si "
+"`krb5_validate` est définie sur « False », les vérifications du PAC seront "
+"ignorées."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2266
@@ -3058,11 +3480,16 @@ msgid ""
 "Directory or recent versions of FreeIPA. PACs issued e.g. by a plain MIT "
 "Kerberos KDC will not contain the needed PAC data buffers to run the checks."
 msgstr ""
+"Veuillez noter que les vérifications ci-dessous ne s'appliquent qu'aux "
+"fichiers PAC émis par Active Directory ou les versions récentes de FreeIPA. "
+"Les fichiers PAC émis, par exemple, par un contrôleur de domaine Kerberos "
+"MIT standard ne contiennent pas les tampons de données nécessaires à "
+"l'exécution de ces vérifications."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2277
 msgid "no_check"
-msgstr ""
+msgstr "pas de vérification"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2279
@@ -3070,11 +3497,13 @@ msgid ""
 "The PAC must not be present and even if it is present no additional checks "
 "will be done."
 msgstr ""
+"Le PAC ne doit pas être présent et, même s'il est présent, aucun contrôle "
+"supplémentaire ne sera effectué."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2285
 msgid "pac_present"
-msgstr ""
+msgstr "pac_présent"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2287
@@ -3083,11 +3512,13 @@ msgid ""
 "the help of the user's TGT. If the PAC is not available the authentication "
 "will fail."
 msgstr ""
+"Le PAC doit figurer dans le ticket de service que SSSD demandera à l'aide du "
+"TGT de l'utilisateur. Si le PAC est absent, l'authentification échouera."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2295
 msgid "check_upn"
-msgstr ""
+msgstr "check_upn"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2297
@@ -3095,11 +3526,13 @@ msgid ""
 "If the PAC is present check if the user principal name (UPN) information is "
 "consistent."
 msgstr ""
+"Si le PAC est présent, vérifiez si les informations du nom principal de "
+"l'utilisateur (UPN) sont cohérentes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2303
 msgid "check_upn_allow_missing"
-msgstr ""
+msgstr "check_upn_autoriser_manquant"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2305
@@ -3112,6 +3545,14 @@ msgid ""
 "time and FreeIPA can handle enterprise principals just fine and there is no "
 "need anymore to set 'ldap_user_principal'."
 msgstr ""
+"Cette option doit être utilisée conjointement avec « check_upn » et gère le "
+"cas où un UPN est défini côté serveur mais n'est pas lu par SSSD. L'exemple "
+"typique est celui d'un domaine FreeIPA où « ldap_user_principal » est défini "
+"sur un nom d'attribut inexistant. Cette pratique était courante pour "
+"contourner les problèmes de gestion des principaux d'entreprise. Cependant, "
+"ce problème est résolu depuis longtemps et FreeIPA gère parfaitement les "
+"principaux d'entreprise ; il n'est donc plus nécessaire de définir « "
+"ldap_user_principal »."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2317
@@ -3123,21 +3564,29 @@ msgid ""
 "can be removed.  If this is not possible, removing 'check_upn' will skip the "
 "test and avoid the log message."
 msgstr ""
+"Actuellement, cette option est activée par défaut afin d'éviter les "
+"régressions dans ces environnements. Un message sera ajouté au journal "
+"système et au journal de débogage de SSSD si un UPN est trouvé dans le PAC "
+"mais pas dans le cache de SSSD. Pour éviter ce message, il serait préférable "
+"d'évaluer si l'option « ldap_user_principal » peut être supprimée. Si cela "
+"n'est pas possible, la suppression de « check_upn » permettra d'ignorer le "
+"test et d'éviter l'affichage du message."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2331
 msgid "upn_dns_info_present"
-msgstr ""
+msgstr "upn_dns_info_présent"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2333
 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
 msgstr ""
+"Le PAC doit contenir le tampon UPN-DNS-INFO, ce qui implique 'check_upn'."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2338
 msgid "check_upn_dns_info_ex"
-msgstr ""
+msgstr "check_upn_dns_info_ex"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2340
@@ -3145,11 +3594,14 @@ msgid ""
 "If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
 "available check if the information in the extension is consistent."
 msgstr ""
+"Si le PAC est présent et que l'extension du tampon UPN-DNS-INFO est "
+"disponible, vérifiez si les informations contenues dans l'extension sont "
+"cohérentes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2347
 msgid "upn_dns_info_ex_present"
-msgstr ""
+msgstr "upn_dns_info_ex_présent"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2349
@@ -3157,6 +3609,8 @@ msgid ""
 "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
 "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
 msgstr ""
+"Le PAC doit contenir l'extension du tampon UPN-DNS-INFO, ce qui implique "
+"'check_upn_dns_info_ex', 'upn_dns_info_present' et 'check_upn'."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2273
@@ -3177,11 +3631,13 @@ msgid ""
 "Default: no_check (AD and IPA provider 'check_upn, check_upn_allow_missing, "
 "check_upn_dns_info_ex')"
 msgstr ""
+"Par défaut : no_check (fournisseur AD et IPA : « check_upn, "
+"check_upn_allow_missing, check_upn_dns_info_ex »)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:2368
 msgid "Session recording configuration options"
-msgstr ""
+msgstr "options de configuration de l'enregistrement de session"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:2370
@@ -3192,31 +3648,35 @@ msgid ""
 "they log in on a text terminal.  See also <citerefentry> <refentrytitle>sssd-"
 "session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 msgstr ""
+"L'enregistrement de session fonctionne conjointement avec `tlog-rec-"
+"session`, un composant du paquet `tlog`, pour enregistrer ce que les "
+"utilisateurs voient et saisissent lorsqu'ils se connectent à un terminal "
+"texte. Voir aussi `sssd-session-recording`."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:2383
 msgid "These options can be used to configure session recording."
-msgstr ""
+msgstr "Ces options permettent de configurer l'enregistrement de session."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:64
 msgid "scope (string)"
-msgstr ""
+msgstr "portée (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:71
 msgid "\"none\""
-msgstr ""
+msgstr "\"aucun\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2397 sssd-session-recording.5.xml:74
 msgid "No users are recorded."
-msgstr ""
+msgstr "Aucun utilisateur n'est enregistré."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:79
 msgid "\"some\""
-msgstr ""
+msgstr "\"quelques\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2405 sssd-session-recording.5.xml:82
@@ -3224,16 +3684,18 @@ msgid ""
 "Users/groups specified by <replaceable>users</replaceable> and "
 "<replaceable>groups</replaceable> options are recorded."
 msgstr ""
+"Les utilisateurs/groupes spécifiés par les options <replaceable>users</"
+"replaceable> et <replaceable>groups</replaceable> sont enregistrés."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2414 sssd-session-recording.5.xml:91
 msgid "\"all\""
-msgstr ""
+msgstr "\"tout\""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2417 sssd-session-recording.5.xml:94
 msgid "All users are recorded."
-msgstr ""
+msgstr "Tous les utilisateurs sont enregistrés."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2390 sssd-session-recording.5.xml:67
@@ -3241,16 +3703,18 @@ msgid ""
 "One of the following strings specifying the scope of session recording: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"L'une des chaînes suivantes spécifiant la portée de l'enregistrement de "
+"session : <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2424 sssd-session-recording.5.xml:101
 msgid "Default: \"none\""
-msgstr ""
+msgstr "Valeur par défaut : « aucune »"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2429 sssd-session-recording.5.xml:106
 msgid "users (string)"
-msgstr ""
+msgstr "utilisateurs (chaîne de caractères)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:109
@@ -3259,16 +3723,20 @@ msgid ""
 "Matches user names as returned by NSS. I.e. after the possible space "
 "replacement, case changes, etc."
 msgstr ""
+"Liste d'utilisateurs, séparés par des virgules, pour lesquels "
+"l'enregistrement de session doit être activé. Les noms d'utilisateur doivent "
+"correspondre à ceux renvoyés par NSS, c'est-à-dire après les éventuelles "
+"modifications d'espaces, de casse, etc."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2438 sssd-session-recording.5.xml:115
 msgid "Default: Empty. Matches no users."
-msgstr ""
+msgstr "Valeur par défaut : vide. Ne correspond à aucun utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2443 sssd-session-recording.5.xml:120
 msgid "groups (string)"
-msgstr ""
+msgstr "groupes (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2446 sssd-session-recording.5.xml:123
@@ -3277,6 +3745,10 @@ msgid ""
 "recording enabled. Matches group names as returned by NSS. I.e. after the "
 "possible space replacement, case changes, etc."
 msgstr ""
+"Liste de groupes, séparés par des virgules, dont les membres doivent avoir "
+"l'enregistrement de session activé. Les noms de groupes doivent correspondre "
+"à ceux renvoyés par NSS, c'est-à-dire après les éventuelles modifications "
+"d'espaces, de casse, etc."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2452 sssd.conf.5.xml:2484 sssd-session-recording.5.xml:129
@@ -3286,11 +3758,15 @@ msgid ""
 "performance cost, because each uncached request for a user requires "
 "retrieving and matching the groups the user is member of."
 msgstr ""
+"REMARQUE : l'utilisation de cette option (quelle que soit sa valeur) a un "
+"coût considérable en termes de performances, car chaque requête non mise en "
+"cache pour un utilisateur nécessite de récupérer et de faire correspondre "
+"les groupes auxquels l'utilisateur appartient."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2459 sssd-session-recording.5.xml:136
 msgid "Default: Empty. Matches no groups."
-msgstr ""
+msgstr "Valeur par défaut : vide. Ne correspond à aucun groupe."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2464 sssd-session-recording.5.xml:141
@@ -3305,13 +3781,15 @@ msgid ""
 "A comma-separated list of users to be excluded from recording, only "
 "applicable with 'scope=all'."
 msgstr ""
+"Liste d'utilisateurs séparés par des virgules à exclure de l'enregistrement, "
+"applicable uniquement avec 'scope=all'."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2471 sssd-session-recording.5.xml:148
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No users excluded."
-msgstr "Par défaut : vide, ldap_uri est donc utilisé."
+msgstr "Par défaut : vide, ldap_uri est donc utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2476 sssd-session-recording.5.xml:153
@@ -3326,13 +3804,15 @@ msgid ""
 "A comma-separated list of groups, members of which should be excluded from "
 "recording. Only applicable with 'scope=all'."
 msgstr ""
+"Liste de groupes, séparés par des virgules, dont les membres doivent être "
+"exclus de l'enregistrement. Applicable uniquement avec « scope=all »."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2491 sssd-session-recording.5.xml:168
 #, fuzzy
 #| msgid "Default: empty, i.e. ldap_uri is used."
 msgid "Default: Empty. No groups excluded."
-msgstr "Par défaut : vide, ldap_uri est donc utilisé."
+msgstr "Par défaut : vide, ldap_uri est donc utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:2501
@@ -3343,7 +3823,7 @@ msgstr "SECTIONS DOMAINES"
 #: sssd.conf.5.xml:2508 sssd.conf.5.xml:3964 sssd.conf.5.xml:3965
 #: sssd.conf.5.xml:3968
 msgid "enabled"
-msgstr ""
+msgstr "activé"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2511
@@ -3354,11 +3834,15 @@ msgid ""
 "enabled only if it is listed in the domains option in the <quote>[sssd]</"
 "quote> section."
 msgstr ""
+"Activez ou désactivez explicitement le domaine. Si la valeur est « true », "
+"le domaine est toujours activé. Si la valeur est « false », le domaine est "
+"toujours désactivé. Si cette option n'est pas définie, le domaine est activé "
+"uniquement s'il figure dans l'option « domains » de la section « [sssd] »."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2523
 msgid "domain_type (string)"
-msgstr ""
+msgstr "type_domaine (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2526
@@ -3368,6 +3852,10 @@ msgid ""
 "be present or generated. Only objects from POSIX domains are available to "
 "the operating system interfaces and utilities."
 msgstr ""
+"Indique si le domaine est destiné à être utilisé par des clients compatibles "
+"POSIX, tels que le commutateur de service de noms, ou par des applications "
+"qui n'ont pas besoin de données POSIX. Seuls les objets des domaines POSIX "
+"sont accessibles aux interfaces et utilitaires du système d'exploitation."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2534
@@ -3375,6 +3863,8 @@ msgid ""
 "Allowed values for this option are <quote>posix</quote> and "
 "<quote>application</quote>."
 msgstr ""
+"Les valeurs autorisées pour cette option sont <quote>posix</quote> et <quote>"
+"application</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2538
@@ -3384,6 +3874,10 @@ msgid ""
 "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </"
 "citerefentry>) and the PAM responder."
 msgstr ""
+"Les domaines POSIX sont accessibles par tous les services. Les domaines "
+"d'application ne sont accessibles que depuis le répondeur InfoPipe (voir "
+"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>) et le répondeur PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2546
@@ -3391,6 +3885,8 @@ msgid ""
 "NOTE: The application domains are currently well tested with "
 "<quote>id_provider=ldap</quote> only."
 msgstr ""
+"REMARQUE : Les domaines d'application sont actuellement bien testés avec "
+"<quote>id_provider=ldap</quote> uniquement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2550
@@ -3398,11 +3894,13 @@ msgid ""
 "For an easy way to configure a non-POSIX domains, please see the "
 "<quote>Application domains</quote> section."
 msgstr ""
+"Pour configurer facilement un domaine non-POSIX, veuillez consulter la "
+"section <quote>Domaines d'application</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2554
 msgid "Default: posix"
-msgstr ""
+msgstr "Par défaut : posix"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2560
@@ -3458,6 +3956,10 @@ msgid ""
 "enable enumeration in order for secondary groups to be displayed. This "
 "parameter can have one of the following values:"
 msgstr ""
+"Détermine si un domaine peut être énuméré, c'est-à-dire s'il peut lister "
+"tous les utilisateurs et groupes qu'il contient. Notez que l'activation de "
+"l'énumération n'est pas nécessaire pour que les groupes secondaires "
+"s'affichent. Ce paramètre peut prendre l'une des valeurs suivantes :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2596
@@ -3480,6 +3982,8 @@ msgid ""
 "Enumerating a domain requires SSSD to download and store ALL user and group "
 "entries from the remote server."
 msgstr ""
+"L'énumération d'un domaine nécessite que SSSD télécharge et stocke TOUTES "
+"les entrées d'utilisateurs et de groupes depuis le serveur distant."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2610
@@ -3487,6 +3991,8 @@ msgid ""
 "Feature is only supported for domains with id_provider = ldap or id_provider "
 "= proxy."
 msgstr ""
+"Cette fonctionnalité est uniquement prise en charge pour les domaines avec "
+"id_provider = ldap ou id_provider = proxy."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2614
@@ -3501,6 +4007,16 @@ msgid ""
 "quote> process becoming unresponsive or even restarted by the internal "
 "watchdog."
 msgstr ""
+"Remarque : L’activation de l’énumération a un impact important sur les "
+"performances de SSSD pendant son exécution. L’énumération complète peut "
+"prendre jusqu’à plusieurs minutes après le démarrage de SSSD. Pendant ce "
+"temps, les requêtes d’information individuelles seront directement envoyées "
+"à LDAP, mais le traitement peut être lent en raison de l’important volume de "
+"données nécessaires à l’énumération. L’enregistrement d’un grand nombre "
+"d’entrées dans le cache après l’énumération peut également solliciter "
+"fortement le processeur, car les appartenances doivent être recalculées. "
+"Cela peut entraîner le blocage du processus `sssd_be` ou même son "
+"redémarrage par le système de surveillance interne."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2629
@@ -3542,6 +4058,10 @@ msgid ""
 "'libnss_files' and 'libnss_ldap'.  3rd party modules must follow the "
 "documented behavior of nss modules to be used in this configuration."
 msgstr ""
+"Remarque : le fournisseur de proxy est testé avec des modules open source "
+"tels que « libnss_files » et « libnss_ldap ». Les modules tiers doivent "
+"respecter le comportement documenté des modules nss pour être utilisés dans "
+"cette configuration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2656
@@ -3646,7 +4166,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2734
 msgid "entry_cache_resolver_timeout (integer)"
-msgstr ""
+msgstr "délai_d'expiration_du_résolveur_cache_d'entrée (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2737
@@ -3654,6 +4174,8 @@ msgid ""
 "How many seconds should nss_sss consider hosts and networks entries valid "
 "before asking the backend again"
 msgstr ""
+"Combien de secondes nss_sss doit-il considérer les entrées hôtes et réseaux "
+"comme valides avant d'interroger à nouveau le serveur ?"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2748
@@ -3700,7 +4222,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2789
 msgid "entry_cache_computer_timeout (integer)"
-msgstr ""
+msgstr "délai_d'expiration_ordinateur_cache_entrée (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2792
@@ -3708,6 +4230,8 @@ msgid ""
 "How many seconds to keep the local computer entry before asking the backend "
 "again"
 msgstr ""
+"Combien de secondes faut-il conserver l’entrée de l’ordinateur local avant "
+"de redemander les informations au serveur backend"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2802
@@ -3732,11 +4256,17 @@ msgid ""
 "user, typically ran at login)  operation in the past, both the user entry "
 "and the group membership are updated."
 msgstr ""
+"L'actualisation en arrière-plan traitera les utilisateurs, les groupes et "
+"les groupes réseau présents dans le cache. Pour les utilisateurs ayant déjà "
+"effectué l'opération initgroups (obtention de l'appartenance à un groupe, "
+"généralement exécutée lors de la connexion), leur fiche utilisateur et leur "
+"appartenance à un groupe seront mises à jour."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2818
 msgid "This option is automatically inherited for all trusted domains."
 msgstr ""
+"Cette option est automatiquement héritée pour tous les domaines de confiance."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2822
@@ -3755,6 +4285,15 @@ msgid ""
 "offline mode operation and reuse of existing valid cache entries.  To make "
 "this change instant the user may want to manually invalidate existing cache."
 msgstr ""
+"L'entrée du cache sera actualisée par une tâche en arrière-plan lorsque les "
+"deux tiers du délai d'expiration du cache seront écoulés. Si des entrées "
+"sont déjà en cache, la tâche en arrière-plan utilisera leurs valeurs de "
+"délai d'expiration d'origine plutôt que la valeur de configuration actuelle. "
+"Il est possible que l'actualisation en arrière-plan semble alors ne pas "
+"fonctionner. Ce comportement est intentionnel afin d'optimiser le "
+"fonctionnement hors ligne et la réutilisation des entrées de cache valides. "
+"Pour une mise à jour instantanée, l'utilisateur peut invalider manuellement "
+"le cache existant."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2839 sssd-ldap.5.xml:406 sssd-ldap.5.xml:1834
@@ -3777,6 +4316,14 @@ msgid ""
 "as a successful online authentication is recorded in the cache without "
 "additional configuration."
 msgstr ""
+"Détermine si les informations d'identification de l'utilisateur sont "
+"également mises en cache dans le cache LDB local. Les informations "
+"d'identification mises en cache concernent les mots de passe, y compris le "
+"premier facteur (à long terme) de l'authentification à deux facteurs, et non "
+"les autres mécanismes d'authentification. L'authentification par mot de "
+"passe et par carte à puce devrait fonctionner hors ligne dès lors qu'une "
+"authentification en ligne réussie est enregistrée dans le cache sans "
+"configuration supplémentaire."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2859
@@ -3786,11 +4333,16 @@ msgid ""
 "get access to a cache file (normally requires privileged access) and to "
 "break a password using brute force attack."
 msgstr ""
+"Notez que même si les identifiants sont stockés sous forme de hachage SHA512 "
+"salé, cela présente toujours un risque potentiel pour la sécurité si un "
+"attaquant parvient à accéder à un fichier cache (ce qui nécessite "
+"normalement un accès privilégié) et à casser un mot de passe à l'aide d'une "
+"attaque par force brute."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2873
 msgid "cache_credentials_minimal_first_factor_length (int)"
-msgstr ""
+msgstr "cache_credentials_minimal_first_factor_length (int)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2876
@@ -3799,6 +4351,11 @@ msgid ""
 "this value determines the minimal length the first authentication factor "
 "(long term password) must have to be saved as SHA512 hash into the cache."
 msgstr ""
+"Si l'authentification à deux facteurs (2FA) est utilisée et que les "
+"informations d'identification doivent être enregistrées, cette valeur "
+"détermine la longueur minimale que le premier facteur d'authentification "
+"(mot de passe à long terme) doit avoir pour être enregistré sous forme de "
+"hachage SHA512 dans le cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2883
@@ -3806,6 +4363,9 @@ msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
+"Cela devrait éviter que les codes PIN courts d'un système d'authentification "
+"à deux facteurs basé sur un code PIN ne soient enregistrés dans le cache, ce "
+"qui en ferait des cibles faciles pour les attaques par force brute."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:2894
@@ -3869,7 +4429,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2940
 msgid "<quote>proxy</quote>: Support a legacy NSS provider."
-msgstr ""
+msgstr "<quote>proxy</quote> : Prise en charge d’un fournisseur NSS hérité."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:2943
@@ -3985,6 +4545,8 @@ msgid ""
 "Default: FALSE (TRUE for trusted domain/sub-domains or if "
 "default_domain_suffix is used)"
 msgstr ""
+"Valeur par défaut : FAUX (VRAI pour les domaines/sous-domaines de confiance "
+"ou si default_domain_suffix est utilisé)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3009
@@ -4007,6 +4569,13 @@ msgid ""
 "citerefentry>.  As an effect, <quote>getent group $groupname</quote> would "
 "return the requested group as if it was empty."
 msgstr ""
+"Si la valeur est TRUE, l'attribut d'appartenance au groupe n'est pas demandé "
+"au serveur LDAP et les membres du groupe ne sont pas renvoyés lors du "
+"traitement des appels de recherche de groupe, tels que `<citerefentry> "
+"<refentrytitle>getgrnam</refentrytitle> <manvolnum>3</manvolnum> </"
+"citerefentry>` ou `<citerefentry> <refentrytitle>getgrgid</refentrytitle> "
+"<manvolnum>3</manvolnum> </citerefentry>`. Par conséquent, `<quote>getent "
+"group $groupname</quote>` renverra le groupe demandé comme s'il était vide."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3033
@@ -4015,6 +4584,9 @@ msgid ""
 "membership significantly faster, especially for groups containing many "
 "members."
 msgstr ""
+"L'activation de cette option peut également accélérer considérablement les "
+"vérifications d'appartenance au groupe effectuées par les fournisseurs "
+"d'accès, notamment pour les groupes comportant de nombreux membres."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3039 sssd.conf.5.xml:3767 sssd-ldap.5.xml:401
@@ -4025,6 +4597,8 @@ msgid ""
 "This option can be also set per subdomain or inherited via "
 "<emphasis>subdomain_inherit</emphasis>."
 msgstr ""
+"Cette option peut également être définie par sous-domaine ou héritée via "
+"<emphasis>subdomain_inherit</emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3049
@@ -4150,11 +4724,16 @@ msgid ""
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
 "citerefentry> for more information on configuring Kerberos."
 msgstr ""
+"<quote>krb5</quote> : Contrôle d'accès basé sur .k5login. Voir "
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> pour plus d'informations sur la configuration de "
+"Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3160
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
+"<quote>proxy</quote> pour relayer le contrôle d'accès à un autre module PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3163
@@ -4182,6 +4761,8 @@ msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
 "manvolnum> </citerefentry> for more information on configuring LDAP."
 msgstr ""
+"Utilisez LDAP pour modifier un mot de passe stocké sur un serveur LDAP. "
+"Consultez sssd-ldap pour plus d'informations sur la configuration de LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3184
@@ -4275,7 +4856,7 @@ msgid ""
 "Default: The value of <quote>id_provider</quote> is used if it is set and "
 "can handle sudo requests."
 msgstr ""
-"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
+"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
 "gérer le chargement selinux"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -4288,6 +4869,12 @@ msgid ""
 "\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
 "<manvolnum>5</manvolnum> </citerefentry>."
 msgstr ""
+"Les instructions détaillées pour la configuration de sudo_provider se "
+"trouvent dans la page de manuel <citerefentry> <refentrytitle>sssd-sudo</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. De nombreuses "
+"options de configuration permettent d'ajuster son comportement. Veuillez "
+"vous référer à « ldap_sudo_* » dans <citerefentry> <refentrytitle>sssd-ldap</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3268
@@ -4297,6 +4884,10 @@ msgid ""
 "<emphasis>sudo_provider = None</emphasis> to disable all sudo-related "
 "activity in SSSD if you do not want to use sudo with SSSD at all."
 msgstr ""
+"Remarque : les règles sudo sont téléchargées périodiquement en arrière-plan, "
+"sauf si le fournisseur sudo est explicitement désactivé. Définissez "
+"`sudo_provider = None` pour désactiver toute activité liée à sudo dans SSSD "
+"si vous ne souhaitez pas utiliser sudo avec SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3278
@@ -4377,6 +4968,10 @@ msgid ""
 "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
 "the AD provider."
 msgstr ""
+"Utilisez la commande `<quote>ad</quote>` pour charger une liste de sous-"
+"domaines à partir d'un serveur Active Directory. Consultez `<citerefentry>"
+"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum></citerefentry>"
+"` pour plus d'informations sur la configuration du fournisseur AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3331
@@ -4394,13 +4989,13 @@ msgid ""
 "Default: The value of <quote>id_provider</quote> is used if it is set and "
 "can handle subdomain requests."
 msgstr ""
-"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
+"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
 "gérer le chargement selinux"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3341
 msgid "session_provider (string)"
-msgstr ""
+msgstr "fournisseur_de_session (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3344
@@ -4409,24 +5004,31 @@ msgid ""
 "only user session task currently provided is the integration with Fleet "
 "Commander, which works only with IPA.  Supported session providers are:"
 msgstr ""
+"Le fournisseur qui configure et gère les tâches liées aux sessions "
+"utilisateur. La seule tâche de session utilisateur actuellement disponible "
+"est l'intégration avec Fleet Commander, qui fonctionne uniquement avec IPA. "
+"Les fournisseurs de session pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3351
 msgid "<quote>ipa</quote> to allow performing user session related tasks."
 msgstr ""
+"<quote>ipa</quote> pour permettre l'exécution de tâches liées à la session "
+"utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3355
 msgid ""
 "<quote>none</quote> does not perform any kind of user session related tasks."
 msgstr ""
+"<quote>none</quote> n'effectue aucune tâche liée à la session utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3359
 #, fuzzy
 #| msgid "Default: <quote>permit</quote>"
 msgid "Default: <quote>none</quote>."
-msgstr "Par défaut : <quote>permit</quote>"
+msgstr "Par défaut : <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3365
@@ -4472,6 +5074,10 @@ msgid ""
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
 "citerefentry> for more information on configuring the AD provider."
 msgstr ""
+"Utilisez la commande `<quote>ad</quote>` pour charger les cartes stockées "
+"sur un serveur AD. Consultez `<citerefentry><refentrytitle>sssd-ad</"
+"refentrytitle><manvolnum>5</manvolnum></citerefentry>` pour plus "
+"d'informations sur la configuration du fournisseur AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3396
@@ -4488,7 +5094,7 @@ msgid ""
 "Default: The value of <quote>id_provider</quote> is used if it is set and "
 "can handle autofs requests."
 msgstr ""
-"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
+"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
 "gérer les requêtes d'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -4532,13 +5138,13 @@ msgid ""
 "Default: The value of <quote>id_provider</quote> is used if it is set and "
 "can handle hostid requests."
 msgstr ""
-"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
+"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
 "gérer les requêtes d'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3431
 msgid "resolver_provider (string)"
-msgstr ""
+msgstr "fournisseur_de_résolution (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3434
@@ -4546,6 +5152,8 @@ msgid ""
 "The provider which should handle hosts and networks lookups. Supported "
 "resolver providers are:"
 msgstr ""
+"Le fournisseur qui doit gérer les recherches d'hôtes et de réseaux. Les "
+"fournisseurs de résolution pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3438
@@ -4553,6 +5161,8 @@ msgid ""
 "<quote>proxy</quote> to forward lookups to another NSS library. See "
 "<quote>proxy_resolver_lib_name</quote>"
 msgstr ""
+"Utilisez un proxy pour rediriger les recherches vers une autre bibliothèque "
+"NSS. Voir <quote>proxy_resolver_lib_name</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3442
@@ -4561,6 +5171,8 @@ msgid ""
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
 "manvolnum> </citerefentry> for more information on configuring LDAP."
 msgstr ""
+"Utilisez LDAP pour récupérer les hôtes et les réseaux stockés dans LDAP. "
+"Consultez sssd-ldap pour plus d'informations sur la configuration de LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3449
@@ -4570,11 +5182,17 @@ msgid ""
 "manvolnum> </citerefentry> for more information on configuring the AD "
 "provider."
 msgstr ""
+"Utilisez `<quote>ad</quote>` pour récupérer les hôtes et les réseaux stockés "
+"dans Active Directory. Consultez `<citerefentry> <refentrytitle>sssd-ad</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>` pour plus "
+"d'informations sur la configuration du fournisseur Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3457
 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
 msgstr ""
+"<quote>none</quote> interdit la récupération explicite des hôtes et des "
+"réseaux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3460
@@ -4586,7 +5204,7 @@ msgid ""
 "Default: The value of <quote>id_provider</quote> is used if it is set and "
 "can handle resolver requests."
 msgstr ""
-"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
+"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut "
 "gérer les requêtes d'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
@@ -4617,10 +5235,10 @@ msgid ""
 "Default: <quote>^((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]*)|(?P&lt;name&gt;"
 "[^@]+))$</quote> which allows two different styles for user names:"
 msgstr ""
-"Valeur par défaut pour les fournisseurs AD et IPA : <quote>(("
+"Valeur par défaut pour les fournisseurs AD et IPA : <quote>(("
 "(?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@"
 "(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\\\]+)$))</quote> qui utilisent "
-"trois styles différents pour les noms d'utilisateurs :"
+"trois styles différents pour les noms d'utilisateurs :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:3484 sssd.conf.5.xml:3498
@@ -4646,10 +5264,10 @@ msgid ""
 "P&lt;name&gt;[^@\\\\]+)))$</quote> which allows three different styles for "
 "user names:"
 msgstr ""
-"Valeur par défaut pour les fournisseurs AD et IPA : <quote>(("
+"Valeur par défaut pour les fournisseurs AD et IPA : <quote>(("
 "(?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@"
 "(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\\\]+)$))</quote> qui utilisent "
-"trois styles différents pour les noms d'utilisateurs :"
+"trois styles différents pour les noms d'utilisateurs :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:3504
@@ -4675,6 +5293,11 @@ msgid ""
 "allowed in Windows group names). If a user wishes to use short names with "
 "<quote>@</quote> they must create their own re_expression."
 msgstr ""
+"The default re_expression uses the <quote>@</quote> character as a separator "
+"between the name and the domain. As a result of this setting the default "
+"does not accept the <quote>@</quote> character in short names (as it is "
+"allowed in Windows group names). If a user wishes to use short names with "
+"<quote>@</quote> they must create their own re_expression."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3564
@@ -4744,12 +5367,16 @@ msgid ""
 "Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
 "server before trying next DNS server."
 msgstr ""
+"Définit la durée (en millisecondes) pendant laquelle SSSD tentera de "
+"communiquer avec un serveur DNS avant d'essayer un autre serveur DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3606
 msgid ""
 "The AD provider will use this option for the CLDAP ping timeouts as well."
 msgstr ""
+"Le fournisseur AD utilisera également cette option pour les délais d'attente "
+"de ping CLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3610 sssd.conf.5.xml:3630 sssd.conf.5.xml:3651
@@ -4757,6 +5384,8 @@ msgid ""
 "Please see the section <quote>FAILOVER</quote> for more information about "
 "the service resolution."
 msgstr ""
+"Veuillez consulter la section <quote>BAILOVER</quote> pour plus "
+"d'informations sur la résolution du service."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3615 sssd-ldap.5.xml:700 include/failover.xml:84
@@ -4777,6 +5406,9 @@ msgid ""
 "(e.g. resolution of a hostname or an SRV record)  before trying the next "
 "hostname or DNS discovery."
 msgstr ""
+"Définit le temps (en secondes) à attendre pour résoudre une seule requête "
+"DNS (par exemple, la résolution d'un nom d'hôte ou d'un enregistrement SRV) "
+"avant de tenter la découverte du nom d'hôte ou du DNS suivant."
 
 #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3635 include/failover.xml:100
@@ -4796,6 +5428,9 @@ msgid ""
 "If this timeout is reached, the domain will continue to operate in offline "
 "mode."
 msgstr ""
+"Définit le délai (en secondes) d'attente d'une réponse du service de "
+"basculement interne avant de considérer le service comme injoignable. Si ce "
+"délai est atteint, le domaine continuera de fonctionner en mode hors ligne."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3662
@@ -4811,6 +5446,9 @@ msgid ""
 "\"search\" directive from the resolv.conf file. This can lead to delays in "
 "environments with improperly configured DNS."
 msgstr ""
+"Normalement, le résolveur DNS interroge la liste de domaines définie dans la "
+"directive « search » du fichier resolv.conf. Cela peut entraîner des délais "
+"dans les environnements où le DNS est mal configuré."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3671
@@ -4819,6 +5457,9 @@ msgid ""
 "configuration, setting this option to FALSE can prevent unnecessary DNS "
 "lookups in such environments."
 msgstr ""
+"Si des noms de domaine pleinement qualifiés (ou _srv_) sont utilisés dans la "
+"configuration SSSD, le fait de définir cette option sur FALSE peut éviter "
+"des recherches DNS inutiles dans de tels environnements."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3677
@@ -4860,18 +5501,21 @@ msgid ""
 "This option defines the number of seconds SSSD waits before attempting to "
 "reconnect to the primary server."
 msgstr ""
+"En l'absence de serveur principal, SSSD bascule vers un serveur de secours. "
+"Cette option définit le nombre de secondes pendant lesquelles SSSD attend "
+"avant de tenter de se reconnecter au serveur principal."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3706
 msgid "Note: The minimum value is 31."
-msgstr ""
+msgstr "Remarque : La valeur minimale est 31."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3709
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: 31"
-msgstr "Par défaut : 3"
+msgstr "Par défaut : 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3715
@@ -4897,6 +5541,7 @@ msgstr "True"
 #: sssd.conf.5.xml:3734
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
+"Respectez la casse. Cette valeur n'est pas valide pour le fournisseur AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3740
@@ -4931,19 +5576,16 @@ msgid ""
 "If you want to set this value for trusted domain with IPA provider, you need "
 "to set it on both the client and SSSD on the server."
 msgstr ""
+"Respectez la casse. Cette valeur n'est pas valide pour le fournisseur AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3727
-#, fuzzy
-#| msgid ""
-#| "The following expansions are supported: <placeholder "
-#| "type=\"variablelist\" id=\"0\"/>"
 msgid ""
 "Treat user and group names as case sensitive.  Possible option values are: "
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
-"Les expansions suivantes sont prises en charge : <placeholder "
-"type=\"variablelist\" id=\"0\"/>"
+"Les noms d'utilisateurs et de groupes sont sensibles à la casse. Les valeurs "
+"possibles sont : <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3772
@@ -4962,6 +5604,10 @@ msgid ""
 "subdomain. Please note that only selected parameters can be inherited.  "
 "Currently the following options can be inherited:"
 msgstr ""
+"Spécifie une liste de paramètres de configuration qui doivent être hérités "
+"par un sous-domaine. Veuillez noter que seuls les paramètres sélectionnés "
+"peuvent être hérités. Actuellement, les options suivantes peuvent être "
+"héritées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3787
@@ -5009,6 +5655,8 @@ msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
+"ldap_krb5_keytab (la valeur de krb5_keytab sera utilisée si ldap_krb5_keytab "
+"n'est pas défini explicitement)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3809
@@ -5057,6 +5705,8 @@ msgstr "ignore_group_members"
 #: sssd.conf.5.xml:3830
 msgid "auto_private_groups"
 msgstr ""
+"ldap_krb5_keytab (la valeur de krb5_keytab sera utilisée si ldap_krb5_keytab "
+"n'est pas défini explicitement)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3833
@@ -5079,6 +5729,7 @@ msgstr ""
 #: sssd.conf.5.xml:3845
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
+"Remarque : cette option fonctionne uniquement avec le fournisseur IPA et AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3852
@@ -5140,7 +5791,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3887
 msgid "cached_auth_timeout (int)"
-msgstr ""
+msgstr "délai_d'expiration_authentification_en_caché (int)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3890
@@ -5150,6 +5801,11 @@ msgid ""
 "the online mode. If the credentials are incorrect, SSSD falls back to online "
 "authentication."
 msgstr ""
+"Spécifie le délai en secondes écoulé depuis la dernière authentification en "
+"ligne réussie pour lequel l'utilisateur sera authentifié à l'aide des "
+"informations d'identification mises en cache lorsque SSSD est en mode en "
+"ligne. Si les informations d'identification sont incorrectes, SSSD utilise "
+"l'authentification en ligne."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3898
@@ -5157,19 +5813,26 @@ msgid ""
 "This option's value is inherited by all trusted domains. At the moment it is "
 "not possible to set a different value per trusted domain."
 msgstr ""
+"La valeur de cette option est héritée par tous les domaines de confiance. Il "
+"n'est actuellement pas possible de définir une valeur différente pour chaque "
+"domaine de confiance."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3903
 msgid "Special value 0 implies that this feature is disabled."
-msgstr ""
+msgstr "La valeur spéciale 0 indique que cette fonctionnalité est désactivée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3907
+#, fuzzy
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
 "<quote>initgroups.</quote>"
 msgstr ""
+"Veuillez noter que si <quote>cached_auth_timeout</quote> est supérieur à "
+"<quote>pam_id_timeout</quote>, le serveur pourrait être sollicité pour gérer "
+"<quote>initgroups</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:3918
@@ -5189,6 +5852,15 @@ msgid ""
 "supported by the backend. With this option additional methods can be enabled "
 "which are evaluated and checked locally."
 msgstr ""
+"Politique relative aux méthodes d'authentification locales. Certains "
+"systèmes d'authentification (par exemple, LDAP, fournisseur proxy) ne "
+"prennent en charge que l'authentification par mot de passe, tandis que "
+"d'autres peuvent gérer l'authentification par carte à puce basée sur PKINIT "
+"(AD, IPA), l'authentification à deux facteurs (IPA) ou d'autres méthodes "
+"auprès d'une instance centrale. Par défaut, dans ces cas, l'authentification "
+"est effectuée uniquement avec les méthodes prises en charge par le système "
+"d'authentification. Cette option permet d'activer des méthodes "
+"supplémentaires qui sont évaluées et vérifiées localement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3933
@@ -5201,6 +5873,14 @@ msgid ""
 "passkey for local authentication. Multiple enable values should be comma-"
 "separated, such as <quote>enable:passkey, enable:smartcard</quote>"
 msgstr ""
+"Cette option peut prendre trois valeurs : `match`, `only` et `enable`. "
+"`match` permet de faire correspondre les états hors ligne et en ligne pour "
+"les méthodes Kerberos. `only` ignore les méthodes en ligne et ne propose que "
+"les méthodes locales. `enable` permet de définir explicitement les méthodes "
+"d'authentification locale. Par exemple, `enable:passkey` active uniquement "
+"l'authentification par clé d'accès pour l'authentification locale. Plusieurs "
+"valeurs pour `enable` doivent être séparées par des virgules, comme ceci : "
+"`enable:passkey, enable:smartcard`."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3946
@@ -5209,6 +5889,10 @@ msgid ""
 "properly, are currently enabled or disabled for each backend, with the "
 "default local_auth_policy: <quote>match</quote>"
 msgstr ""
+"Le tableau suivant indique quelles méthodes d'authentification, si elles "
+"sont correctement configurées, sont actuellement activées ou désactivées "
+"pour chaque serveur, avec la politique d'authentification locale par défaut "
+": <quote>match</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
 #: sssd.conf.5.xml:3959
@@ -5220,12 +5904,12 @@ msgstr "ldap_pwd_policy (chaîne)"
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
 #: sssd.conf.5.xml:3960
 msgid "Passkey"
-msgstr ""
+msgstr "Clé d'accès"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
 #: sssd.conf.5.xml:3961
 msgid "Smartcard"
-msgstr ""
+msgstr "carte à puce"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:3964 sssd-ldap.5.xml:228
@@ -5240,12 +5924,12 @@ msgstr "AD"
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
 #: sssd.conf.5.xml:3967 sssd.conf.5.xml:3970 sssd.conf.5.xml:3971
 msgid "disabled"
-msgstr ""
+msgstr "désactivé"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
 #: sssd.conf.5.xml:3970
 msgid "LDAP"
-msgstr ""
+msgstr "LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3975
@@ -5255,6 +5939,10 @@ msgid ""
 "authentication methods supported by the backend.  I.e. there will be a PIN "
 "prompt instead of e.g. a password prompt."
 msgstr ""
+"Veuillez noter que si l'authentification par carte à puce locale est activée "
+"et qu'une carte à puce est présente, elle sera privilégiée par rapport aux "
+"méthodes d'authentification prises en charge par le système. Autrement dit, "
+"un code PIN vous sera demandé à la place d'un mot de passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:3987
@@ -5266,6 +5954,11 @@ msgid ""
 "auth_provider = none\n"
 "local_auth_policy = only\n"
 msgstr ""
+"[domain/shadowutils]\n"
+"id_provider = proxy\n"
+"proxy_lib_name = files\n"
+"auth_provider = none\n"
+"local_auth_policy = only\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3983
@@ -5274,23 +5967,27 @@ msgid ""
 "locally using any enabled method (i.e. smartcard, passkey).  <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
+"L'exemple de configuration suivant permet aux utilisateurs locaux de "
+"s'authentifier localement à l'aide de n'importe quelle méthode activée (par "
+"exemple, carte à puce, clé d'accès). <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:3995
 #, fuzzy
 #| msgid "Default: cn"
 msgid "Default: match"
-msgstr "Par défaut : cn"
+msgstr "Par défaut : cn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4000
 msgid "auto_private_groups (string)"
-msgstr ""
+msgstr "auto_private_groups (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4006
 msgid "true"
-msgstr ""
+msgstr "vraie"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4009
@@ -5298,6 +5995,8 @@ msgid ""
 "Create user's private group unconditionally from user's UID number.  The GID "
 "number is ignored in this case."
 msgstr ""
+"Créez systématiquement le groupe privé de l'utilisateur à partir de son UID. "
+"Le GID est ignoré dans ce cas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4013
@@ -5307,11 +6006,15 @@ msgid ""
 "UID or GID number with this option. In other words, enabling this option "
 "enforces uniqueness across the ID space."
 msgstr ""
+"REMARQUE : Étant donné que le numéro GID et le groupe privé de l’utilisateur "
+"sont déduits du numéro UID, il est impossible d’avoir plusieurs entrées avec "
+"le même numéro UID ou GID avec cette option. En d’autres termes, "
+"l’activation de cette option garantit l’unicité de chaque identifiant."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4022
 msgid "false"
-msgstr ""
+msgstr "FAUX"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4025
@@ -5319,11 +6022,13 @@ msgid ""
 "Always use the user's primary GID number. The GID number must refer to a "
 "group object in the LDAP database."
 msgstr ""
+"Utilisez toujours le numéro GID principal de l'utilisateur. Ce numéro GID "
+"doit faire référence à un objet groupe dans la base de données LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4031
 msgid "hybrid"
-msgstr ""
+msgstr "hybride"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4034
@@ -5334,6 +6039,12 @@ msgid ""
 "GID in the user entry is also used by a group object, the primary GID of the "
 "user resolves to that group object."
 msgstr ""
+"Un groupe principal est généré automatiquement pour les entrées utilisateur "
+"dont les numéros UID et GID sont identiques, mais dont le numéro GID ne "
+"correspond à aucun objet de groupe existant dans LDAP. Si les valeurs sont "
+"identiques, mais que le GID principal de l'entrée utilisateur est également "
+"utilisé par un objet de groupe, le GID principal de l'utilisateur est alors "
+"associé à ce groupe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4047
@@ -5341,6 +6052,9 @@ msgid ""
 "If the UID and GID of a user are different, then the GID must correspond to "
 "a group entry, otherwise the GID is simply not resolvable."
 msgstr ""
+"Si l'UID et le GID d'un utilisateur sont différents, alors le GID doit "
+"correspondre à une entrée de groupe, sinon le GID est tout simplement "
+"insoluble."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4054
@@ -5349,6 +6063,9 @@ msgid ""
 "separate group objects for the user private groups, but also wish to retain "
 "the existing user private groups."
 msgstr ""
+"Si l'UID et le GID d'un utilisateur sont différents, alors le GID doit "
+"correspondre à une entrée de groupe, sinon le GID est tout simplement "
+"insoluble."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4003
@@ -5356,6 +6073,8 @@ msgid ""
 "This option takes any of three available values: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Cette option accepte l'une des trois valeurs disponibles : <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4066
@@ -5366,6 +6085,12 @@ msgid ""
 "provider is using True because IdPs typically do not have primary groups.</"
 "phrase>"
 msgstr ""
+"Pour les fournisseurs d'identité basés sur LDAP (LDAP, IPA et AD), la valeur "
+"par défaut pour le domaine configuré est généralement False, car les sources "
+"utilisent la notion de groupe principal. <phrase "
+"condition=\"with_idp_provider\">Le fournisseur d'identité utilise True, car "
+"les fournisseurs d'identité n'ont généralement pas de groupes principaux.</"
+"phrase>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4075
@@ -5373,6 +6098,8 @@ msgid ""
 "For subdomains, the default value is False for subdomains that use assigned "
 "POSIX IDs and True for subdomains that use automatic ID-mapping."
 msgstr ""
+"For subdomains, the default value is False for subdomains that use assigned "
+"POSIX IDs and True for subdomains that use automatic ID-mapping."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:4083
@@ -5381,6 +6108,8 @@ msgid ""
 "[domain/forest.domain/sub.domain]\n"
 "auto_private_groups = false\n"
 msgstr ""
+"[domaine/forêt.domaine/sous-domaine]\n"
+"auto_private_groups = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:4089
@@ -5390,6 +6119,9 @@ msgid ""
 "subdomain_inherit = auto_private_groups\n"
 "auto_private_groups = false\n"
 msgstr ""
+"[domaine/forêt.domaine]\n"
+"sous-domaine_hériter = groupes_privés_auto\n"
+"groupes_privés_auto = faux\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4080
@@ -5399,6 +6131,11 @@ msgid ""
 "globally for all subdomains in the main domain section using the "
 "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
 msgstr ""
+"La valeur de auto_private_groups peut être définie soit par sous-domaine "
+"dans une sous-section, par exemple : <placeholder type=\"programlisting\" "
+"id=\"0\"/>, soit globalement pour tous les sous-domaines de la section du "
+"domaine principal à l'aide de l'option subdomain_inherit : <placeholder "
+"type=\"programlisting\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:2503
@@ -5433,7 +6170,7 @@ msgid ""
 "or create a new one and add the service name here. As an alternative you can "
 "enable local authentication with the local_auth_policy option."
 msgstr ""
-"Par défaut : non défini, il faut utiliser une configuration de pam existante "
+"Par défaut : non défini, il faut utiliser une configuration de pam existante "
 "ou en créer une nouvelle et ajouter le nom de service ici."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
@@ -5455,7 +6192,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4133
 msgid "proxy_resolver_lib_name (string)"
-msgstr ""
+msgstr "nom_bibliothèque_résolveur_proxy (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4136
@@ -5464,6 +6201,10 @@ msgid ""
 "domains. The NSS functions searched for in the library are in the form of "
 "_nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r."
 msgstr ""
+"Nom de la bibliothèque NSS à utiliser pour la recherche d'hôtes et de "
+"réseaux dans les domaines proxy. Les fonctions NSS recherchées dans la "
+"bibliothèque sont au format _nss_$(nom_bibliothèque)_$(fonction), par "
+"exemple _nss_dns_gethostbyname2_r."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4147
@@ -5487,7 +6228,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4164
 msgid "proxy_max_children (integer)"
-msgstr ""
+msgstr "proxy_max_children (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4167
@@ -5496,6 +6237,10 @@ msgid ""
 "for high-load SSSD environments where sssd may run out of available child "
 "slots, which would cause some issues due to the requests being queued."
 msgstr ""
+"Cette option spécifie le nombre de processus enfants proxy pré-forkés. Elle "
+"est utile dans les environnements SSSD à forte charge où SSSD peut manquer "
+"d'emplacements enfants disponibles, ce qui entraînerait des problèmes dus à "
+"la mise en file d'attente des requêtes."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4100
@@ -5509,7 +6254,7 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:4183
 msgid "Application domains"
-msgstr ""
+msgstr "Domaines d'application"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:4185
@@ -5527,6 +6272,19 @@ msgid ""
 "<quote>application</quote> optionally inherits settings from a tradition "
 "SSSD domain."
 msgstr ""
+"SSSD, avec son interface D-Bus (voir <citerefentry> <refentrytitle>sssd-ifp</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>), est un outil "
+"précieux pour les applications, servant de passerelle vers un annuaire LDAP "
+"où sont stockés les utilisateurs et les groupes. Cependant, contrairement au "
+"déploiement SSSD traditionnel où tous les utilisateurs et groupes possèdent "
+"des attributs POSIX ou où ces attributs peuvent être déduits des SID "
+"Windows, dans de nombreux cas, les utilisateurs et les groupes pris en "
+"charge par les applications ne possèdent pas d'attributs POSIX. Au lieu de "
+"définir une section <quote>[domain/<replaceable>NAME</replaceable>]</quote>, "
+"l'administrateur peut configurer une section <quote>[application/"
+"<replaceable>NAME</replaceable>]</quote> qui représente en interne un "
+"domaine de type <quote>application</quote> et qui peut hériter des "
+"paramètres d'un domaine SSSD traditionnel."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:4205
@@ -5535,16 +6293,20 @@ msgid ""
 "the <quote>domains</quote> parameter so that the lookup order between the "
 "application domain and its POSIX sibling domain is set correctly."
 msgstr ""
+"Veuillez noter que le domaine d'application doit toujours être explicitement "
+"activé dans le paramètre <quote>domains</quote> afin que l'ordre de "
+"recherche entre le domaine d'application et son domaine frère POSIX soit "
+"correctement défini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
 #: sssd.conf.5.xml:4211
 msgid "Application domain parameters"
-msgstr ""
+msgstr "Paramètres du domaine d'application"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4213
 msgid "inherit_from (string)"
-msgstr ""
+msgstr "hériter_de (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4216
@@ -5554,6 +6316,10 @@ msgid ""
 "application settings that augment or override the <quote>sibling</quote> "
 "domain settings."
 msgstr ""
+"The SSSD POSIX-type domain the application domain inherits all settings "
+"from. The application domain can moreover add its own settings to the "
+"application settings that augment or override the <quote>sibling</quote> "
+"domain settings."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:4230
@@ -5564,6 +6330,11 @@ msgid ""
 "the telephoneNumber attribute, stores it as the phone attribute in the cache "
 "and makes the phone attribute reachable through the D-Bus interface."
 msgstr ""
+"L'exemple suivant illustre l'utilisation d'un domaine d'application. Dans "
+"cette configuration, le domaine POSIX est connecté à un serveur LDAP et "
+"utilisé par le système d'exploitation via le répondeur NSS. De plus, le "
+"domaine d'application récupère l'attribut telephoneNumber, le stocke comme "
+"attribut phone dans le cache et le rend accessible via l'interface D-Bus."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
 #: sssd.conf.5.xml:4238
@@ -5584,11 +6355,25 @@ msgid ""
 "inherit_from = posixdom\n"
 "ldap_user_extra_attrs = phone:telephoneNumber\n"
 msgstr ""
+"[sssd]\n"
+"domaines = appdom, posixdom\n"
+"\n"
+"[ifp]\n"
+"attributs_utilisateur = +téléphone\n"
+"\n"
+"[domaine/posixdom]\n"
+"fournisseur_id = ldap\n"
+"uri_ldap = ldap://ldap.example.com\n"
+"base_recherche_ldap = dc=example,dc=com\n"
+"\n"
+"[application/appdom]\n"
+"hériter_de = posixdom\n"
+"attributs_utilisateur_supplémentaires_ldap = téléphone:numéro_de_téléphone\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:4258
 msgid "TRUSTED DOMAIN SECTION"
-msgstr ""
+msgstr "SECTION DOMAINE DE CONFIANCE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4260
@@ -5600,56 +6385,63 @@ msgid ""
 "domain. Please refer to examples below for explanation.  Currently supported "
 "options in the trusted domain section are:"
 msgstr ""
+"Certaines options utilisées dans la section « Domaine » peuvent également "
+"être utilisées dans la section « Domaine de confiance », c’est-à-dire dans "
+"une section nommée <quote>[domaine/<replaceable>NOM_DOMAIN</replaceable>/"
+"<replaceable>NOM_DOMAIN_DE_CONFIANCE</replaceable>]</quote>. Où NOM_DOMAIN "
+"correspond au domaine de base auquel la jonction est effectuée. Veuillez "
+"consulter les exemples ci-dessous pour plus d’explications. Les options "
+"actuellement prises en charge dans la section « Domaine de confiance » sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4267
 msgid "ldap_search_base,"
-msgstr ""
+msgstr "base de recherche LDAP,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4268
 msgid "ldap_user_search_base,"
-msgstr ""
+msgstr "ldap_user_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4269
 msgid "ldap_group_search_base,"
-msgstr ""
+msgstr "base de recherche de groupe LDAP,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4270
 msgid "ldap_netgroup_search_base,"
-msgstr ""
+msgstr "ldap_netgroup_search_base,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4271
 msgid "ldap_service_search_base,"
-msgstr ""
+msgstr "base de recherche du service LDAP,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4272
 msgid "ldap_sasl_mech,"
-msgstr ""
+msgstr "ldap_sasl_mech,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4273
 msgid "ad_server,"
-msgstr ""
+msgstr "serveur_publicitaire,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4274
 msgid "ad_backup_server,"
-msgstr ""
+msgstr "serveur_de_sauvegarde_publicitaire,"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4275
 msgid "ad_site,"
-msgstr ""
+msgstr "site_publicitaire,"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:4276 sssd-ipa.5.xml:934
 msgid "use_fully_qualified_names"
-msgstr ""
+msgstr "use_fully_qualified_names"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4280
@@ -5657,11 +6449,13 @@ msgid ""
 "For more details about these options see their individual description in the "
 "manual page."
 msgstr ""
+"Pour plus de détails sur ces options, consultez leur description "
+"individuelle dans la page du manuel."
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:4286
 msgid "CERTIFICATE MAPPING SECTION"
-msgstr ""
+msgstr "SECTION DE CARTOGRAPHIE DES CERTIFICATS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4288
@@ -5675,6 +6469,15 @@ msgid ""
 "might be cumbersome or not even possible to do this for the general case "
 "where local services use PAM for authentication."
 msgstr ""
+"Pour permettre l'authentification par carte à puce et certificat, SSSD doit "
+"pouvoir associer les certificats aux utilisateurs. Cela peut se faire en "
+"ajoutant le certificat complet à l'objet LDAP de l'utilisateur ou en "
+"utilisant une substitution locale. Bien que l'utilisation du certificat "
+"complet soit requise pour l'authentification par carte à puce SSH (voir "
+"<citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> pour plus de détails), cela peut "
+"s'avérer complexe, voire impossible, dans le cas général où les services "
+"locaux utilisent PAM pour l'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4302
@@ -5683,6 +6486,10 @@ msgid ""
 "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
 "<manvolnum>5</manvolnum> </citerefentry> for details)."
 msgstr ""
+"Pour rendre le mappage plus flexible, des règles de mappage et de "
+"correspondance ont été ajoutées à SSSD (voir <citerefentry> <refentrytitle>"
+"sss-certmap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> pour "
+"plus de détails)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4311
@@ -5692,11 +6499,16 @@ msgid ""
 "<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</"
 "replaceable>]</quote>.  In this section the following options are allowed:"
 msgstr ""
+"Une règle de mappage et de correspondance peut être ajoutée à la "
+"configuration SSSD dans une section dédiée, nommée par exemple : <quote>"
+"[certmap/<replaceable>NOM_DOMAIN</replaceable>/<replaceable>NOM_RÈGLE</"
+"replaceable>]</quote>. Dans cette section, les options suivantes sont "
+"autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4318
 msgid "matchrule (string)"
-msgstr ""
+msgstr "règle de correspondance (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4321
@@ -5704,6 +6516,8 @@ msgid ""
 "Only certificates from the Smartcard which matches this rule will be "
 "processed, all others are ignored."
 msgstr ""
+"Only certificates from the Smartcard which matches this rule will be "
+"processed, all others are ignored."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4325
@@ -5711,16 +6525,19 @@ msgid ""
 "Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
 "Extended Key Usage <quote>clientAuth</quote>"
 msgstr ""
+"Par défaut : KRB5 : &EKU > clientAuth, c’est-à-dire uniquement les "
+"certificats disposant de l’utilisation étendue de la clé <quote>clientAuth</"
+"quote>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4332
 msgid "maprule (string)"
-msgstr ""
+msgstr "règle de carte (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4335
 msgid "Defines how the user is found for a given certificate."
-msgstr ""
+msgstr "Définit comment l'utilisateur est trouvé pour un certificat donné."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:4341
@@ -5728,6 +6545,8 @@ msgid ""
 "LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
 "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
 msgstr ""
+"LDAP:(userCertificate;binary={cert!bin}) pour les fournisseurs basés sur "
+"LDAP comme <quote>ldap</quote>, <quote>AD</quote> ou <quote>ipa</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:4347
@@ -5735,11 +6554,13 @@ msgid ""
 "If maprule is not set and provider is <quote>proxy</quote>, the RULE_NAME "
 "name is assumed to be the name of the matching user."
 msgstr ""
+"Si maprule n'est pas défini et que provider est <quote>proxy</quote>, le nom "
+"RULE_NAME est supposé être le nom de l'utilisateur correspondant."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4357
 msgid "domains (string)"
-msgstr ""
+msgstr "domaines (chaîne de caractères)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4360
@@ -5749,16 +6570,20 @@ msgid ""
 "supports subdomains this option can be used to add the rule to subdomains as "
 "well."
 msgstr ""
+"Liste de noms de domaine, séparés par des virgules, auxquels la règle doit "
+"s'appliquer. Par défaut, une règle n'est valable que pour le domaine "
+"configuré dans sssd.conf. Si le fournisseur prend en charge les sous-"
+"domaines, cette option permet d'ajouter la règle à ces derniers."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4367
 msgid "Default: the configured domain in sssd.conf"
-msgstr ""
+msgstr "Par défaut : le domaine configuré dans sssd.conf"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4372
 msgid "priority (integer)"
-msgstr ""
+msgstr "priorité (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4375
@@ -5767,16 +6592,19 @@ msgid ""
 "number the lower the priority.  <quote>0</quote> stands for the highest "
 "priority while <quote>4294967295</quote> is the lowest."
 msgstr ""
+"Valeur entière non signée définissant la priorité de la règle. Plus le "
+"nombre est élevé, plus la priorité est faible. 0 représente la priorité la "
+"plus élevée, tandis que 4294967295 représente la plus faible."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4381
 msgid "Default: the lowest priority"
-msgstr ""
+msgstr "Par défaut : priorité la plus basse"
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:4389
 msgid "PROMPTING CONFIGURATION SECTION"
-msgstr ""
+msgstr "SECTION DE CONFIGURATION DES INVITATIONS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4391
@@ -5787,6 +6615,12 @@ msgid ""
 "Based on the results pam_sss will prompt the user for appropriate "
 "credentials."
 msgstr ""
+"Si un fichier spécifique (<filename>/var/lib/sss/pubconf/"
+"pam_preauth_available</filename>) existe, le module PAM de SSSD, pam_sss, "
+"interrogera SSSD pour déterminer les méthodes d'authentification disponibles "
+"pour l'utilisateur qui tente de se connecter. En fonction des résultats, "
+"pam_sss invitera l'utilisateur à saisir les informations d'identification "
+"appropriées."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4399
@@ -5796,21 +6630,25 @@ msgid ""
 "select the prompting might not be suitable for all use cases. The following "
 "options should provide a better flexibility here."
 msgstr ""
+"Face à la multiplication des méthodes d'authentification et à la possibilité "
+"qu'un même utilisateur en utilise plusieurs, l'heuristique employée par "
+"pam_sss pour sélectionner le message d'invite peut ne pas convenir à tous "
+"les cas de figure. Les options suivantes offrent une plus grande flexibilité."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4411
 msgid "[prompting/password]"
-msgstr ""
+msgstr "[invite/mot de passe]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4414
 msgid "password_prompt"
-msgstr ""
+msgstr "invite_mot_de_passe"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4415
 msgid "to change the string of the password prompt"
-msgstr ""
+msgstr "modifier le texte de l'invite de mot de passe"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4413
@@ -5818,36 +6656,38 @@ msgid ""
 "to configure password prompting, allowed options are: <placeholder "
 "type=\"variablelist\" id=\"0\"/>"
 msgstr ""
+"Pour configurer l'invite de mot de passe, les options autorisées sont : "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4423
 msgid "[prompting/2fa]"
-msgstr ""
+msgstr "[invite/2fa]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4427
 msgid "first_prompt"
-msgstr ""
+msgstr "première_invite"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4428
 msgid "to change the string of the prompt for the first factor"
-msgstr ""
+msgstr "modifier la chaîne de l'invite pour le premier facteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4431
 msgid "second_prompt"
-msgstr ""
+msgstr "modifier la chaîne de l'invite pour le premier facteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4432
 msgid "to change the string of the prompt for the second factor"
-msgstr ""
+msgstr "modifier le texte de l'invite pour le deuxième facteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4435
 msgid "single_prompt"
-msgstr ""
+msgstr "invite unique"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4436
@@ -5857,6 +6697,10 @@ msgid ""
 "string. Please note that both factors have to be entered here, even if the "
 "second factor is optional."
 msgstr ""
+"Valeur booléenne : si la valeur est Vrai, une seule invite s’affichera, "
+"utilisant la valeur de `first_prompt`, où les deux facteurs doivent être "
+"saisis sous forme d’une seule chaîne de caractères. Veuillez noter que les "
+"deux facteurs doivent être saisis, même si le second est facultatif."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4425
@@ -5866,6 +6710,11 @@ msgid ""
 "optional and it should be possible to log in either only with the password "
 "or with both factors two-step prompting has to be used."
 msgstr ""
+"Pour configurer l'invite d'authentification à deux facteurs, les options "
+"autorisées sont : <placeholder type=\"variablelist\" id=\"0\"/> Si le "
+"deuxième facteur est facultatif et qu'il doit être possible de se connecter "
+"soit uniquement avec le mot de passe, soit avec les deux facteurs, l'invite "
+"en deux étapes doit être utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4449
@@ -5877,16 +6726,23 @@ msgid ""
 "the user at the SSH password prompt will always be the two factors in a "
 "single string, even if two-factor authentication is optional."
 msgstr ""
+"Certains clients, comme SSH avec l'option « PasswordAuthentication yes », "
+"génèrent leurs propres invites et n'utilisent pas celles fournies par SSSD "
+"ou d'autres modules PAM. De plus, pour SSH avec PasswordAuthentication, si "
+"l'authentification à deux facteurs est disponible, SSSD exige que les "
+"identifiants saisis par l'utilisateur lors de l'invite de mot de passe SSH "
+"correspondent toujours aux deux facteurs dans une seule chaîne de "
+"caractères, même si l'authentification à deux facteurs est optionnelle."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4464
 msgid "[prompting/passkey]"
-msgstr ""
+msgstr "[invite/clé d'accès]"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd.conf.5.xml:4470 sssd-ad.5.xml:1022
 msgid "interactive"
-msgstr ""
+msgstr "interactif"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4472
@@ -5895,21 +6751,24 @@ msgid ""
 "of a passkey device.  Recommended if your device doesn’t have a tactile "
 "trigger."
 msgstr ""
+"Valeur booléenne : si la valeur est Vrai, afficher un message et attendre "
+"avant de tester la présence d’un périphérique à code d’accès. Recommandé si "
+"votre appareil ne possède pas de déclencheur tactile."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4480
 msgid "interactive_prompt"
-msgstr ""
+msgstr "invite interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4482
 msgid "to change the message of the interactive prompt."
-msgstr ""
+msgstr "modifier le message de l'invite interactive."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4487
 msgid "touch"
-msgstr ""
+msgstr "touch"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4489
@@ -5917,16 +6776,18 @@ msgid ""
 "boolean value, if True prompt a message to remind the user to touch the "
 "device."
 msgstr ""
+"Valeur booléenne ; si la valeur est True, afficher un message invitant "
+"l’utilisateur à toucher l’appareil."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:4495
 msgid "touch_prompt"
-msgstr ""
+msgstr "invite tactile"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4497
 msgid "to change the message of the touch prompt."
-msgstr ""
+msgstr "modifier le message de l'invite tactile."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:4466
@@ -5949,6 +6810,11 @@ msgid ""
 "type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/"
 "> <placeholder type=\"variablelist\" id=\"2\"/>"
 msgstr ""
+"Chaque méthode d'authentification prise en charge possède sa propre sous-"
+"section de configuration sous <quote>[prompting/...]</quote>. Actuellement, "
+"on y trouve : <placeholder type=\"variablelist\" id=\"0\"/> <placeholder "
+"type=\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" "
+"id=\"2\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4508
@@ -5957,11 +6823,14 @@ msgid ""
 "<quote>[prompting/password/sshd]</quote> to individual change the prompting "
 "for this service."
 msgstr ""
+"Il est possible d'ajouter une sous-section pour des services PAM "
+"spécifiques, par exemple <quote>[prompting/password/sshd]</quote> pour "
+"modifier individuellement l'invite pour ce service."
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd.conf.5.xml:4515 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
 msgid "EXAMPLES"
-msgstr ""
+msgstr "EXEMPLES"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 #: sssd.conf.5.xml:4521
@@ -6049,6 +6918,10 @@ msgid ""
 "configuring domains for more details.  <placeholder type=\"programlisting\" "
 "id=\"0\"/>"
 msgstr ""
+"1. L'exemple suivant illustre une configuration SSSD typique. Il ne décrit "
+"pas la configuration des domaines eux-mêmes ; reportez-vous à la "
+"documentation relative à la configuration des domaines pour plus de détails. "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 #: sssd.conf.5.xml:4553
@@ -6057,6 +6930,8 @@ msgid ""
 "[domain/ipa.com/child.ad.com]\n"
 "use_fully_qualified_names = false\n"
 msgstr ""
+"[domain/ipa.com/child.ad.com]\n"
+"use_fully_qualified_names = false\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4547
@@ -6068,6 +6943,12 @@ msgid ""
 "configuration should be used.  <placeholder type=\"programlisting\" id=\"0\"/"
 ">"
 msgstr ""
+"2. L'exemple suivant illustre la configuration d'une approbation IPA AD "
+"lorsque la forêt AD est composée de deux domaines dans une structure parent-"
+"enfant. Supposons que le domaine IPA (ipa.com) ait une approbation avec le "
+"domaine AD (ad.com). ad.com possède un domaine enfant (child.ad.com). Pour "
+"activer les noms courts dans le domaine enfant, la configuration suivante "
+"doit être utilisée. <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
 #: sssd.conf.5.xml:4564
@@ -6079,6 +6960,11 @@ msgid ""
 "domains = my.domain, your.domain\n"
 "priority = 10\n"
 msgstr ""
+"[certmap/my.domain/rule_name]\n"
+"matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$\n"
+"maprule = (userCertificate;binary={cert!bin})\n"
+"domains = my.domain, your.domain\n"
+"priority = 10\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd.conf.5.xml:4558
@@ -6089,6 +6975,11 @@ msgid ""
 "certificate in the search filter.  <placeholder type=\"programlisting\" "
 "id=\"0\"/>"
 msgstr ""
+"3. L'exemple suivant illustre la configuration d'une règle de mappage de "
+"certificat. Elle est valable pour le domaine configuré <quote>my.domain</"
+"quote> et également pour les sous-domaines <quote>your.domain</quote>, et "
+"utilise le certificat complet dans le filtre de recherche. <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refnamediv><refname>
 #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
@@ -6353,18 +7244,22 @@ msgid ""
 "default, this is done anonymously. However, this may not be permitted by the "
 "LDAP server. In such cases we can use this option to influence SSSD behavior."
 msgstr ""
+"SSSD consulte RootDSE pour obtenir des informations sur LDAP et ses "
+"fonctionnalités. Par défaut, cette opération est anonyme. Toutefois, il est "
+"possible que le serveur LDAP l'interdise. Dans ce cas, cette option permet "
+"d'influencer le comportement de SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:175
 #, fuzzy
 #| msgid "The following values are allowed:"
 msgid "Allowed values are:"
-msgstr "Les valeurs suivantes sont autorisées :"
+msgstr "Les valeurs suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd-ldap.5.xml:179
 msgid "anonymous"
-msgstr ""
+msgstr "anonyme"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sssd-ldap.5.xml:184
diff --git a/src/man/po/ko.po b/src/man/po/ko.po
index 0b0476671e1..6b6671d4aa7 100644
--- a/src/man/po/ko.po
+++ b/src/man/po/ko.po
@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: sssd-docs 2.5.2\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
 "POT-Creation-Date: 2021-07-12 20:51+0200\n"
-"PO-Revision-Date: 2026-04-23 16:36+0000\n"
-"Last-Translator: seo hojin <jinswhat@naver.com>\n"
+"PO-Revision-Date: 2026-06-14 19:10+0000\n"
+"Last-Translator: 김인수 <simmon@nplob.com>\n"
 "Language-Team: Korean <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-manpage-master/ko/>\n"
 "Language: ko\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 2026.6.1\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -755,6 +755,13 @@ msgid ""
 "permissions may result in a non-usable SSSD. The same may occur in case of "
 "changes of the user running the NSS responder.  </phrase>"
 msgstr ""
+"root 사용자로 실행하지 않도록 적절한 경우 권한을 낮출 사용자입니다.  <phrase "
+"condition=\"have_systemd\"> 이 옵션은 소켓 활성화 서비스를 실행할 때 "
+"작동하지 않습니다. 프로세스를 실행하도록 설정된 사용자는 컴파일 시점에 "
+"설정되기 때문입니다.  systemd 단위 파일을 재정의하는 방법은 /etc/systemd/"
+"system/에 적절한 파일을 만드는 것입니다.  소켓 사용자, 그룹 또는 권한을 "
+"변경하면 SSSD를 사용할 수 없게 될 수 있습니다. NSS 응답자를 실행하는 "
+"사용자를 변경하는 경우에도 동일한 문제가 발생할 수 있습니다.  </phrase>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:427
@@ -775,11 +782,10 @@ msgid ""
 "trusted domain.  The option allows those users to log in just with their "
 "user name without giving a domain name as well."
 msgstr ""
-"이와 같은 문자열은 도메인 이름 구성이 없는 모든 이름을 위해 기본 도메인 "
-"이름으로 사용됩니다. 주요 사용 경우는 기본 도메인이 호스트 정책을 관리하고 "
-"모든 사용자가 신뢰 할 수 있는 도메인에 있는 환경입니다.  이와 같은 옵션을 "
-"사용하면 해당 사용자는 도메인 이름도 제공하지 않고 이들 사용자 이름만으로 "
-"로그인 할 수 있습니다."
+"이 문자열은 도메인 이름 구성 요소가 없는 모든 이름의 기본 도메인 이름으로 "
+"사용됩니다. 주요 사용 사례는 기본 도메인이 호스트 정책 관리를 목적으로 하고 "
+"모든 사용자가 신뢰할 수 있는 도메인에 있는 환경입니다.  이 옵션을 사용하면 "
+"해당 사용자가 도메인 이름 없이 사용자 이름만으로 로그인할 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:445
@@ -793,6 +799,13 @@ msgid ""
 "nss_files and therefore their output is not qualified even when the "
 "default_domain_suffix option is used."
 msgstr ""
+"이 옵션이 설정되면 기본 도메인의 모든 사용자가 로그인 시 정규화된 이름(예: "
+"user@domain.name)을 사용해야 합니다. 이 옵션을 설정하면 "
+"use_fully_qualified_names의 기본값이 True로 변경됩니다. 이 옵션은 "
+"use_fully_qualified_names가 False로 설정된 경우와 함께 사용할 수 없습니다. "
+"이 규칙의 한 가지 예외는 <quote>id_provider=files</quote>인 도메인으로, 항상 "
+"nss_files의 동작을 따르려 하기 때문에 default_domain_suffix 옵션을 "
+"사용하더라도 출력이 정규화되지 않습니다."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:460 sssd-ldap.5.xml:772 sssd-ldap.5.xml:784
@@ -1001,6 +1014,9 @@ msgid ""
 "the related certificates. This option should be used to allow authentication "
 "when the system is offline and the CRL cannot be renewed."
 msgstr ""
+"인증서 폐기 목록(CRL)이 만료된 경우 관련 인증서의 CRL 점검을 무시합니다. 이 "
+"옵션은 시스템이 오프라인이고 CRL을 갱신할 수 없을 때 인증을 허용하기 위해 "
+"사용해야 합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:493
@@ -1062,6 +1078,8 @@ msgid ""
 "When this option is enabled, SSSD prepends an implicit domain with "
 "<quote>id_provider=files</quote> before any explicitly configured domains."
 msgstr ""
+"이 옵션이 활성화되면 SSSD는 명시적으로 구성된 도메인 앞에 <quote>"
+"id_provider=files</quote>를 사용하는 암묵적 도메인을 추가합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:652
@@ -1078,11 +1096,11 @@ msgid ""
 "subdomains which are not listed as part of <quote>lookup_order</quote> will "
 "be looked up in a random order for each parent domain."
 msgstr ""
-"따라야 할 조회 순서를 나타내는 쉼표로 구분된 도메인 및 하위 도메인의 목록.  "
-"목록은 누락된 도메인이 <quote>domains</quote> 구성에서 제공된 순서에 "
-"기반하여 조회되는 모든 가능한 도메인을 포함하지 않아도 됩니다.   <quote>"
-"lookup_order</quote> 의 부분으로 나열되지 않은 하위 도메인은 각 상위 "
-"도메인을 위해 무작위 순서로 조회됩니다."
+"따라야 할 조회 순서를 나타내는 쉼표로 구분된 도메인 및 하위 도메인의 "
+"목록입니다.  목록에 모든 가능한 도메인을 포함할 필요는 없습니다. 누락된 "
+"도메인은 <quote>domains</quote> 구성 옵션에 표시된 순서에 따라 조회됩니다.  "
+"<quote>lookup_order</quote>의 일부로 나열되지 않은 하위 도메인은 각 상위 "
+"도메인에 대해 임의의 순서로 조회됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:667
@@ -1100,6 +1118,16 @@ msgid ""
 "shortnames, making this workaround totally not recommended in cases where "
 "usernames may overlap between domains."
 msgstr ""
+"이 옵션이 설정되면 파일 공급자가 관리하는 사용자를 제외한 모든 사용자에 대해 "
+"입력에 짧은 이름을 사용하더라도 항상 모든 명령의 출력 형식이 정규화됩니다.  "
+"관리자가 출력을 정규화하지 않으려는 경우 다음과 같이 full_name_format 옵션을 "
+"사용할 수 있습니다: <quote>full_name_format=%1$s</quote> 하지만 로그인 중에 "
+"로그인 응용 프로그램이 <citerefentry> <refentrytitle>getpwnam</"
+"refentrytitle> <manvolnum>3</manvolnum> </citerefentry>을 호출하여 사용자 "
+"이름을 정규화하는 경우, 정규화된 입력에 대해 짧은 이름이 반환되면(여러 "
+"도메인에 존재하는 사용자에 접근하려는 시도 중) 로그인 시도가 짧은 이름을 "
+"사용하는 도메인으로 재라우팅될 수 있으므로, 사용자 이름이 도메인 간에 겹칠 "
+"수 있는 경우에는 이 해결 방법을 사용하지 않는 것이 좋습니다."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:692 sssd.conf.5.xml:1659 sssd.conf.5.xml:3927
@@ -1131,6 +1159,9 @@ msgid ""
 "section, for example, for NSS service, the section would be <quote>[nss]</"
 "quote>"
 msgstr ""
+"다양한 서비스를 구성하는 데 사용할 수 있는 설정이 이 섹션에 설명되어 "
+"있습니다. [<replaceable>$NAME</replaceable>] 섹션에 위치해야 합니다. 예를 "
+"들어 NSS 서비스의 경우 <quote>[nss]</quote> 섹션이 됩니다"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:712
@@ -1156,6 +1187,10 @@ msgid ""
 "systems without this capability, the resulting value will be the lower value "
 "of this or the limits.conf \"hard\" limit."
 msgstr ""
+"이 옵션은 이 SSSD 프로세스가 한 번에 열 수 있는 최대 파일 설명자 수를 "
+"지정합니다. SSSD에 CAP_SYS_RESOURCE 기능이 부여된 시스템에서는 절대적인 "
+"설정입니다. 이 기능이 없는 시스템에서는 이 값과 limits.conf의 \"hard\" 제한 "
+"중 낮은 값이 결과값으로 사용됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:743
@@ -1176,6 +1211,10 @@ msgid ""
 "can't be shorter than 10 seconds. If a lower value is configured, it will be "
 "adjusted to 10 seconds."
 msgstr ""
+"이 옵션은 SSSD 프로세스의 클라이언트가 통신하지 않고 파일 설명자를 유지할 수 "
+"있는 시간(초)을 지정합니다. 이 값은 시스템의 리소스 고갈을 방지하기 위해 "
+"제한됩니다. 시간 초과는 10초보다 짧을 수 없습니다. 더 낮은 값을 구성하면 "
+"10초로 조정됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:760
@@ -1197,6 +1236,11 @@ msgid ""
 "time for the previous ones.  After each unsuccessful attempt to go online, "
 "the new interval is recalculated by the following:"
 msgstr ""
+"SSSD가 오프라인 모드로 전환되면 다시 온라인으로 돌아가기 전의 시간이 연결이 "
+"끊긴 시간에 따라 증가합니다.  기본적으로 SSSD는 증분 방식을 사용하여 재시도 "
+"사이의 지연을 계산합니다.  따라서 주어진 재시도의 대기 시간은 이전 재시도의 "
+"대기 시간보다 깁니다.  온라인 전환에 실패할 때마다 새 간격은 다음 공식으로 "
+"다시 계산됩니다:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:779 sssd.conf.5.xml:835
@@ -1214,6 +1258,9 @@ msgid ""
 "value is 3600.  The offline_timeout_random_offset default value is 30.  The "
 "end result is amount of seconds before next retry."
 msgstr ""
+"offline_timeout 기본값은 60입니다.  offline_timeout_max 기본값은 "
+"3600입니다.  offline_timeout_random_offset 기본값은 30입니다.  최종 결과는 "
+"다음 재시도 전까지의 시간(초)입니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:788
@@ -1221,6 +1268,8 @@ msgid ""
 "Note that the maximum length of each interval is defined by "
 "offline_timeout_max (apart of random part)."
 msgstr ""
+"각 간격의 최대 길이는 offline_timeout_max에 의해 정의됩니다(무작위 부분 제외)"
+"."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:792 sssd.conf.5.xml:1132 sssd.conf.5.xml:1486
@@ -1239,6 +1288,8 @@ msgid ""
 "Controls by how much the time between attempts to go online can be "
 "incremented following unsuccessful attempts to go online."
 msgstr ""
+"온라인 전환에 실패한 후 온라인 전환 시도 사이의 시간을 얼마나 증가시킬 "
+"것인지 제어합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:805
@@ -1250,7 +1301,7 @@ msgstr "0의 값은 동작을 비활성화 합니다."
 msgid ""
 "The value of this parameter should be set in correlation to offline_timeout "
 "parameter value."
-msgstr ""
+msgstr "이 매개변수의 값은 offline_timeout 매개변수 값과 연관하여 설정해야 합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:812
@@ -1260,6 +1311,9 @@ msgid ""
 "rule here should be to set offline_timeout_max to at least 4 times "
 "offline_timeout."
 msgstr ""
+"offline_timeout이 60(기본값)으로 설정된 경우 offline_timeout_max를 120 "
+"미만으로 설정하면 즉시 포화 상태가 되므로 의미가 없습니다. 일반적인 규칙은 "
+"offline_timeout_max를 offline_timeout의 최소 4배로 설정하는 것입니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:818
@@ -1267,6 +1321,8 @@ msgid ""
 "Although a value between 0 and offline_timeout may be specified, it has the "
 "effect of overriding the offline_timeout value so is of little use."
 msgstr ""
+"0과 offline_timeout 사이의 값을 지정할 수 있지만, offline_timeout 값을 "
+"재정의하는 효과가 있으므로 실질적인 의미가 거의 없습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:823
@@ -1293,6 +1349,8 @@ msgid ""
 "This parameter controls the value of the random offset used for the above "
 "equation. Final random_offset value will be random number in range:"
 msgstr ""
+"이 매개변수는 위 수식에 사용되는 무작위 오프셋의 값을 제어합니다. 최종 "
+"random_offset 값은 다음 범위의 무작위 수가 됩니다:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:843
@@ -1325,6 +1383,11 @@ msgid ""
 "built with systemd support and when services are either socket or D-Bus "
 "activated."
 msgstr ""
+"이 옵션은 SSSD 응답자 프로세스가 사용되지 않은 채로 유지될 수 있는 시간(초)"
+"을 지정합니다. 이 값은 시스템의 리소스 고갈을 방지하기 위해 제한됩니다.  이 "
+"옵션의 최소 허용 값은 60초입니다.  이 옵션을 0(영)으로 설정하면 응답자에 "
+"시간 초과가 설정되지 않습니다.  이 옵션은 SSSD가 systemd 지원으로 빌드되고 "
+"서비스가 소켓 또는 D-Bus로 활성화된 경우에만 효과가 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:871 sssd.conf.5.xml:1145 sssd.conf.5.xml:2187
@@ -1343,6 +1406,8 @@ msgid ""
 "This option specifies whether the responder should query all caches before "
 "querying the Data Providers."
 msgstr ""
+"이 옵션은 응답자가 자료 공급자를 질의하기 전에 모든 캐시를 질의해야 하는지 "
+"여부를 지정합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:891
@@ -1365,7 +1430,7 @@ msgstr "enum_cache_timeout (정수)"
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
-msgstr "nss_sss 캐쉬가 열거된 시간(초) (모든 사용자에 대한 정보를 위한 요청)"
+msgstr "nss_sss가 열거(모든 사용자에 대한 정보 요청)를 캐시해야 하는 시간(초)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:905
@@ -1397,6 +1462,10 @@ msgid ""
 "but the SSSD will go and update the cache on its own, so that future "
 "requests will not need to block waiting for a cache update."
 msgstr ""
+"예를 들어, 도메인의 entry_cache_timeout이 30초로 설정되고 "
+"entry_cache_nowait_percentage가 50(퍼센트)로 설정된 경우, 마지막 캐시 "
+"업데이트 후 15초 이후에 들어오는 항목은 즉시 반환되지만, SSSD가 독자적으로 "
+"캐시를 업데이트하므로 향후 요청이 캐시 업데이트를 기다리며 차단되지 않습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:929
@@ -1406,6 +1475,9 @@ msgid ""
 "percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
 "disables this feature)"
 msgstr ""
+"이 옵션의 유효한 값은 0-99이며 각 도메인의 entry_cache_timeout 백분율을 "
+"나타냅니다. 성능상의 이유로 이 백분율은 nowait 시간 초과를 10초 미만으로 "
+"줄이지 않습니다.  (0은 이 기능을 비활성화합니다)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:937 sssd.conf.5.xml:1987
@@ -1424,6 +1496,9 @@ msgid ""
 "(that is, queries for invalid database entries, like nonexistent ones)  "
 "before asking the back end again."
 msgstr ""
+"nss_sss가 백엔드에 다시 요청하기 전에 네거티브 캐시 적중(존재하지 않는 것과 "
+"같은 잘못된 데이터베이스 항목에 대한 조회)을 캐시해야 하는 시간(초)을 "
+"지정합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:951 sssd.conf.5.xml:2011
@@ -1442,6 +1517,9 @@ msgid ""
 "negative cache before trying to look it up in the back end again. Setting "
 "the option to 0 disables this feature."
 msgstr ""
+"nss_sss가 백엔드에서 다시 조회를 시도하기 전에 로컬 사용자 및 그룹을 "
+"네거티브 캐시에 유지해야 하는 시간(초)을 지정합니다. 이 옵션을 0으로 "
+"설정하면 이 기능이 비활성화됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:965
@@ -1461,6 +1539,10 @@ msgid ""
 "also be set per-domain or include fully-qualified names to filter only users "
 "from the particular domain or by a user principal name (UPN)."
 msgstr ""
+"sss NSS 데이터베이스에서 특정 사용자 또는 그룹을 가져오지 않도록 제외합니다. "
+"시스템 계정에 특히 유용합니다. 이 옵션은 도메인별로 설정하거나 정규화된 "
+"이름을 포함하여 특정 도메인의 사용자만 또는 사용자 주체 이름(UPN)으로 "
+"필터링할 수도 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:981
@@ -1470,6 +1552,10 @@ msgid ""
 "NSS. E.g. a group having a member group filtered out will still have the "
 "member users of the latter listed."
 msgstr ""
+"참고: filter_groups 옵션은 중첩된 그룹 구성원의 상속에 영향을 주지 않습니다. "
+"필터링은 NSS를 통해 반환하기 위해 전파된 후에 이루어지기 때문입니다. 예를 "
+"들어 구성원 그룹이 필터링된 그룹에도 해당 그룹의 구성원 사용자가 여전히 "
+"나열됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:989
@@ -1500,6 +1586,8 @@ msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
+"도메인의 자료 공급자가 명시적으로 지정하지 않은 경우 사용자의 홈 디렉토리에 "
+"대한 기본 템플릿을 설정합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1016
@@ -1542,6 +1630,8 @@ msgid ""
 "shell options if it takes effect and can be set either in the [nss] section "
 "or per-domain."
 msgstr ""
+"모든 사용자의 로그인 쉘을 재정의합니다. 이 옵션이 적용되면 다른 모든 쉘 "
+"옵션보다 우선하며 [nss] 섹션 또는 도메인별로 설정할 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1041
@@ -1557,12 +1647,12 @@ msgstr "allowed_shells (문자열)"
 #: sssd.conf.5.xml:1050
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
-msgstr ""
+msgstr "사용자 쉘을 나열된 값 중 하나로 제한합니다. 평가 순서는 다음과 같습니다:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1053
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
-msgstr ""
+msgstr "1. 쉘이 <quote>/etc/shells</quote>에 있으면 해당 쉘이 사용됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1057
@@ -1570,6 +1660,8 @@ msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
+"2. 쉘이 allowed_shells 목록에는 있지만 <quote>/etc/shells</quote>에는 "
+"없으면, shell_fallback 매개변수의 값을 사용합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1062
@@ -1577,6 +1669,8 @@ msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
+"3. 쉘이 allowed_shells 목록에도 없고 <quote>/etc/shells</quote>에도 없으면, "
+"nologin 쉘이 사용됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1067
@@ -1590,6 +1684,9 @@ msgid ""
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
 "allowed shells in allowed_shells would be to much overhead."
 msgstr ""
+"(*)는 사용자의 쉘이 <quote>/etc/shells</quote>에 없을 때 shell_fallback을 "
+"사용하려는 경우에 유용하며, allowed_shells에 모든 허용된 쉘 목록을 유지하는 "
+"것이 부담스러울 때 사용합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1077
@@ -1602,6 +1699,8 @@ msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
+"<quote>/etc/shells</quote>는 SSSD 시작 시에만 읽히므로, 새 쉘이 설치된 경우 "
+"SSSD를 다시 시작해야 합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1084
@@ -1645,6 +1744,8 @@ msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
+"공급자가 조회 중 쉘을 반환하지 않는 경우 사용할 기본 쉘입니다. 이 옵션은 "
+"[nss] 섹션에서 전역적으로 또는 도메인별로 지정할 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1118
@@ -1652,6 +1753,8 @@ msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
+"기본값: 설정되지 않음(쉘을 지정하지 않으면 NULL을 반환하고 필요 시 libc가 "
+"적절한 값으로 대체하도록 합니다. 보통 /bin/sh)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1125 sssd.conf.5.xml:1479
@@ -1676,6 +1779,8 @@ msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid. Setting this option to zero will disable the in-memory cache."
 msgstr ""
+"메모리 내 캐시의 레코드가 유효한 시간(초)을 지정합니다. 이 옵션을 0으로 "
+"설정하면 메모리 내 캐시가 비활성화됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1148
@@ -1683,6 +1788,8 @@ msgid ""
 "WARNING: Disabling the in-memory cache will have significant negative impact "
 "on SSSD's performance and should only be used for testing."
 msgstr ""
+"경고: 메모리 내 캐시를 비활성화하면 SSSD 성능에 심각한 부정적인 영향을 "
+"미치며 테스트 목적으로만 사용해야 합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1154 sssd.conf.5.xml:1179 sssd.conf.5.xml:1204
@@ -1691,6 +1798,8 @@ msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
+"참고: 환경 변수 SSS_NSS_USE_MEMCACHE가 \"NO\"로 설정된 경우, 클라이언트 응용 "
+"프로그램은 빠른 메모리 내 캐시를 사용하지 않습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1162
@@ -1704,6 +1813,8 @@ msgid ""
 "for passwd requests.  Setting the size to 0 will disable the passwd in-"
 "memory cache."
 msgstr ""
+"passwd 요청을 위해 빠른 캐쉬 메모리 내에 할당된 자료 테이블의 크기(megabytes)"
+"입니다.  크기를 0으로 설정하면 메모리 내의 passwd 가 비활성화됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1171 sssd.conf.5.xml:2720 sssd-ldap.5.xml:513
@@ -1716,6 +1827,8 @@ msgid ""
 "WARNING: Disabled or too small in-memory cache can have significant negative "
 "impact on SSSD's performance."
 msgstr ""
+"경고: 비활성화되었거나 너무 작은 메모리 내 캐시는 SSSD 성능에 심각한 "
+"부정적인 영향을 미칠 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1187
@@ -1729,6 +1842,8 @@ msgid ""
 "for group requests.  Setting the size to 0 will disable the group in-memory "
 "cache."
 msgstr ""
+"그룹 요청을 위한 빠른 캐쉬 메모리에 할당된 자료 테이블의 크기(megabytes).  "
+"크기를 0으로 설정하면 메모리 캐쉬에서 그룹이 비활성화됩니다."
 
 #. type: Content of: <variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1196 sssd.conf.5.xml:3515 sssd-ldap.5.xml:453
@@ -1748,6 +1863,9 @@ msgid ""
 "for initgroups requests.  Setting the size to 0 will disable the initgroups "
 "in-memory cache."
 msgstr ""
+"initgroups 요청을 위한 빠른 메모리 캐쉬에 안에 할당된 자료 테이블의 크기"
+"(megabytes).  크기를 0으로 설정하면 메모리 캐쉬에 initgroups가 "
+"비활성화됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1237 sssd-ifp.5.xml:74
@@ -1764,6 +1882,11 @@ msgid ""
 "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
 "manvolnum> </citerefentry> for details) but with no default values."
 msgstr ""
+"일부 추가 NSS 응답자 요청은 NSS 인터페이스에 정의된 POSIX 속성보다 더 많은 "
+"속성을 반환할 수 있습니다. 속성 목록은 이 옵션에 의해 제어됩니다. InfoPipe "
+"응답자의 <quote>user_attributes</quote> 옵션과 동일한 방식으로 처리됩니다"
+"(자세한 내용은 <citerefentry> <refentrytitle>sssd-ifp</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> 참조). 다만 기본값은 없습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1253
@@ -1771,6 +1894,8 @@ msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
+"구성을 더 쉽게 하기 위해 NSS 응답자에 대해 설정되지 않은 경우 NSS 응답자가 "
+"InfoPipe 옵션을 확인합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1258
@@ -1788,6 +1913,8 @@ msgid ""
 "The value that NSS operations that return users or groups will return for "
 "the <quote>password</quote> field."
 msgstr ""
+"사용자 또는 그룹을 반환하는 NSS 연산이 <quote>password</quote> 필드에 대해 "
+"반환하는 값입니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1271
@@ -1799,7 +1926,7 @@ msgstr "기본값: <quote>*</quote>"
 msgid ""
 "Note: This option can also be set per-domain which overwrites the value in "
 "[nss] section."
-msgstr ""
+msgstr "참고: 이 옵션은 도메인별로도 설정할 수 있으며 [nss] 섹션의 값을 덮어씁니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1278
@@ -1808,6 +1935,8 @@ msgid ""
 "files domain), <quote>x</quote> (proxy domain with nss_files and sssd-"
 "shadowutils target)"
 msgstr ""
+"기본값: <quote>설정되지 않음</quote>(원격 도메인), <quote>x</quote>(파일 "
+"도메인), <quote>x</quote>(nss_files 및 sssd-shadowutils 대상의 프록시 도메인)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
 #: sssd.conf.5.xml:1288
@@ -1832,6 +1961,8 @@ msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
+"인증 공급자가 오프라인인 경우 캐시된 로그인을 허용해야 하는 기간(마지막 "
+"성공적인 온라인 로그인 이후 일 수)입니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1303 sssd.conf.5.xml:1316
@@ -1848,7 +1979,7 @@ msgstr "offline_failed_login_attempts (정수)"
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
-msgstr ""
+msgstr "인증 공급자가 오프라인인 경우 허용되는 로그인 시도 실패 횟수입니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1322
@@ -1861,6 +1992,8 @@ msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
+"offline_failed_login_attempts에 도달한 후 새 로그인 시도가 가능해지기 전에 "
+"경과해야 하는 시간(분)입니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1330
@@ -1869,6 +2002,9 @@ msgid ""
 "offline_failed_login_attempts has been reached. Only a successful online "
 "authentication can enable offline authentication again."
 msgstr ""
+"0으로 설정하면 offline_failed_login_attempts에 도달한 경우 사용자가 "
+"오프라인으로 인증할 수 없습니다. 성공적인 온라인 인증만이 오프라인 인증을 "
+"다시 활성화할 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1336 sssd.conf.5.xml:1446
@@ -1886,6 +2022,8 @@ msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
+"인증 중 사용자에게 표시되는 메시지의 종류를 제어합니다. 숫자가 높을수록 더 "
+"많은 메시지가 표시됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1350
@@ -1930,6 +2068,10 @@ msgid ""
 "responses sent to pam_sss e.g. messages displayed to the user or environment "
 "variables which should be set by pam_sss."
 msgstr ""
+"PAM 응답자가 pam_sss PAM 모듈로 보내는 데이터를 제거(필터링)할 수 있는 "
+"쉼표로 구분된 문자열 목록입니다. pam_sss로 전송되는 다양한 종류의 응답이 "
+"있습니다. 예를 들어 사용자에게 표시되는 메시지 또는 pam_sss에 의해 "
+"설정되어야 하는 환경 변수 등입니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1384
@@ -1937,6 +2079,8 @@ msgid ""
 "While messages already can be controlled with the help of the pam_verbosity "
 "option this option allows to filter out other kind of responses as well."
 msgstr ""
+"메시지는 pam_verbosity 옵션의 도움으로 이미 제어할 수 있지만, 이 옵션은 다른 "
+"종류의 응답도 필터링할 수 있게 합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1391
@@ -1946,7 +2090,7 @@ msgstr "ENV"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1392
 msgid "Do not send any environment variables to any service."
-msgstr "모든 환경 변수를 다른 서비스에 보낼 수 없습니다."
+msgstr "모든 환경 변수를 어떤 서비스에도 보내지 않습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1395
@@ -1956,7 +2100,7 @@ msgstr "ENV:var_name"
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1396
 msgid "Do not send environment variable var_name to any service."
-msgstr "환경 변수 var_name을 다른 어떤 서비스에 보내지 않습니다."
+msgstr "환경 변수 var_name을 어떤 서비스에도 보내지 않습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1400
@@ -1987,6 +2131,11 @@ msgid ""
 "that either all list elements must have a '+' or '-' prefix or none. It is "
 "considered as an error to mix both styles."
 msgstr ""
+"문자열 목록은 이 필터 목록을 설정하고 기본값을 덮어쓰는 필터 목록이 될 수 "
+"있습니다. 또는 목록의 각 요소에 '+' 또는 '-' 문자를 접두사로 붙여 기존 "
+"기본값에 필터를 추가하거나 기본값에서 제거할 수 있습니다. 모든 목록 요소에 "
+"'+' 또는 '-' 접두사가 있거나 모두 없어야 합니다. 두 가지 스타일을 혼용하는 "
+"것은 오류로 간주됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1419
@@ -2011,6 +2160,8 @@ msgid ""
 "immediately update the cached identity information for the user in order to "
 "ensure that authentication takes place with the latest information."
 msgstr ""
+"SSSD가 온라인 상태일 때 모든 PAM 요청에 대해, SSSD는 최신 정보로 인증이 "
+"이루어지도록 사용자의 캐시된 ID 정보를 즉시 업데이트하려고 시도합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1438
@@ -2020,6 +2171,9 @@ msgid ""
 "client-application basis) how long (in seconds) we can cache the identity "
 "information to avoid excessive round-trips to the identity provider."
 msgstr ""
+"완전한 PAM 대화는 계정 관리 및 세션 열기와 같은 여러 PAM 요청을 수행할 수 "
+"있습니다. 이 옵션은 (클라이언트 응용 프로그램별로) ID 공급자에 대한 과도한 "
+"왕복을 피하기 위해 ID 정보를 캐시할 수 있는 시간(초)을 제어합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1452
@@ -2038,6 +2192,8 @@ msgid ""
 "expiration time of the password.  If this information is missing, sssd "
 "cannot display a warning."
 msgstr ""
+"백엔드 서버가 비밀번호의 만료 시간에 대한 정보를 제공해야 합니다.  이 정보가 "
+"없으면 sssd는 경고를 표시할 수 없습니다."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1464 sssd.conf.5.xml:2747
@@ -2045,6 +2201,8 @@ msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
+"0으로 설정하면 이 필터가 적용되지 않습니다. 즉, 백엔드 서버에서 만료 경고를 "
+"수신하면 자동으로 표시됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1469
@@ -2052,6 +2210,8 @@ msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
+"이 설정은 특정 도메인에 대해 <emphasis>pwd_expiration_warning</emphasis>을 "
+"설정하여 재정의할 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1474 sssd.conf.5.xml:3709 sssd-ldap.5.xml:549 sssd.8.xml:79
@@ -2072,6 +2232,10 @@ msgid ""
 "<quote>pam_public_domains</quote>.  User names are resolved to UIDs at "
 "startup."
 msgstr ""
+"신뢰할 수 있는 도메인에 대해 PAM 대화를 실행할 수 있는 UID 값 또는 사용자 "
+"이름의 쉼표로 구분된 목록을 지정합니다.  이 목록에 포함되지 않은 사용자는 "
+"<quote>pam_public_domains</quote>로 공개로 표시된 도메인에만 접근할 수 "
+"있습니다.  사용자 이름은 시작 시 UID로 확인됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1504
@@ -2084,6 +2248,8 @@ msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
+"UID 0은 pam_trusted_users 목록에 없더라도 항상 PAM 응답자에 대한 접근이 "
+"허용됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1515
@@ -2096,11 +2262,13 @@ msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
+"신뢰할 수 없는 사용자도 접근할 수 있는 도메인 이름의 쉼표로 구분된 목록을 "
+"지정합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1522
 msgid "Two special values for pam_public_domains option are defined:"
-msgstr ""
+msgstr "pam_public_domains 옵션에 대해 두 가지 특수 값이 정의되어 있습니다:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1526
@@ -2135,6 +2303,8 @@ msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
+"기본 '권한이 거부되었습니다' 메시지를 대체하는 사용자 지정 만료 메시지를 "
+"설정할 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1547
@@ -2142,6 +2312,8 @@ msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbosity is set to 3 (show all messages and debug information)."
 msgstr ""
+"참고: pam_verbosity가 3(모든 메시지 및 디버그 정보 표시)으로 설정되지 않는 "
+"한 메시지는 SSH 서비스에 대해서만 출력됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1555
@@ -2164,6 +2336,8 @@ msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
+"기본 '권한이 거부되었습니다' 메시지를 대체하는 사용자 지정 잠금 메시지를 "
+"설정할 수 있습니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1574
@@ -2188,6 +2362,9 @@ msgid ""
 "additional communication with the Smartcard which will delay the "
 "authentication process this option is disabled by default."
 msgstr ""
+"인증서 기반 스마트카드 인증을 활성화합니다. 스마트카드와의 추가 통신이 "
+"필요하여 인증 프로세스가 지연되므로 이 옵션은 기본적으로 비활성화되어 "
+"있습니다."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1592 sssd-ldap.5.xml:590 sssd-ldap.5.xml:611
@@ -2234,6 +2411,10 @@ msgid ""
 "section.  Supported options are the same of <quote>certificate_verification</"
 "quote>."
 msgstr ""
+"이 매개변수를 사용하면 <quote>[sssd]</quote> 섹션의 <quote>"
+"certificate_verification</quote> 값을 재정의하는 쉼표로 구분된 옵션 목록으로 "
+"PAM 인증서 확인을 조정할 수 있습니다. 지원되는 옵션은 <quote>"
+"certificate_verification</quote>과 동일합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
 #: sssd.conf.5.xml:1629
@@ -2251,6 +2432,8 @@ msgid ""
 "Default: not set, i.e. use default <quote>certificate_verification</quote> "
 "option defined in <quote>[sssd]</quote> section."
 msgstr ""
+"기본값: 설정되지 않음. 즉, <quote>[sssd]</quote> 섹션에 정의된 기본 <quote>"
+"certificate_verification</quote> 옵션을 사용합니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1640
@@ -2272,7 +2455,7 @@ msgstr "pam_app_services (문자열)"
 msgid ""
 "Which PAM services are permitted to contact domains of type "
 "<quote>application</quote>"
-msgstr ""
+msgstr "<quote>application</quote> 유형의 도메인에 접속할 수 있는 PAM 서비스"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
 #: sssd.conf.5.xml:1664
@@ -2307,6 +2490,12 @@ msgid ""
 "<quote>my_pam_service</quote>), you would use the following configuration: "
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
+"<quote>+service_name</quote>을 사용하여 기본 집합에 다른 PAM 서비스 이름을 "
+"추가하거나 <quote>-service_name</quote>을 사용하여 기본 집합에서 PAM 서비스 "
+"이름을 명시적으로 제거할 수 있습니다. 예를 들어 스마트카드 인증을 위한 기본 "
+"PAM 서비스 이름(예: <quote>login</quote>)을 사용자 지정 PAM 서비스 이름(예: "
+"<quote>my_pam_service</quote>)으로 대체하려면 다음과 같이 구성합니다: "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:1686 sssd-ad.5.xml:621 sssd-ad.5.xml:730 sssd-ad.5.xml:788
@@ -8803,6 +8992,8 @@ msgid ""
 "This option can be used to specify which extended key usage the certificate "
 "should have. The following value can be used in a comma separated list:"
 msgstr ""
+"이와 같은 옵션은 확장된 키 사용 값을 갖도록 지정하는 데 사용 될 수 있습니다. "
+"다음 값은 쉼표로 분리된 목록에서 사용 될 수 있습니다:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
 #: sss-certmap.5.xml:163
@@ -9397,6 +9588,8 @@ msgid ""
 "This template will add the DN string of the value which is stored in the "
 "directoryName component of the SAN."
 msgstr ""
+"이와 같은 템플릿트는 SAN의 디렉토리명칭 구성 요소에서 저장된 것과 같은 DN "
+"문자열이 추가됩니다."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sss-certmap.5.xml:575
@@ -17093,6 +17286,8 @@ msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
+"ldap_account_expire_policy=rhds 이거나 동일하게 사용 할 때에, 이와 같은 "
+"매개변수는 접근 허용 여부를 결정합니다."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap-attributes.5.xml:368
@@ -17669,7 +17864,7 @@ msgstr "ldap_host_fqdn (문자열)"
 msgid ""
 "The LDAP attribute that corresponds to the host's fully-qualified domain "
 "name."
-msgstr ""
+msgstr "호스트의 정규화된 도메인 이름에 일치하는 LDAP 속성."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap-attributes.5.xml:907
diff --git a/src/man/po/pt.po b/src/man/po/pt.po
index 93bac206ab4..3dee07a6cf2 100644
--- a/src/man/po/pt.po
+++ b/src/man/po/pt.po
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: sssd-docs 2.3.0\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
 "POT-Creation-Date: 2026-01-14 15:00+0000\n"
-"PO-Revision-Date: 2026-04-23 17:01+0000\n"
+"PO-Revision-Date: 2026-05-12 17:59+0000\n"
 "Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n"
 "Language-Team: Portuguese <https://translate.fedoraproject.org/projects/sssd/"
 "sssd-manpage-master/pt/>\n"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 5.17.1\n"
 
 #. type: Content of: <reference><title>
 #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5
@@ -10486,8 +10486,8 @@ msgid ""
 "this file."
 msgstr ""
 "Provedor de autenticação krb5 do SSSD o qual é usado pelos provedores IPA e "
-"AD assim como adiciona os endereços do KDC actual ou controlador de domínio "
-"que o SSSD está usar para este ficheiro."
+"AD também adiciona os endereços do KDC atual ou controlador de domínio que o "
+"SSSD está usar para este ficheiro."
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd_krb5_locator_plugin.8.xml:70
diff --git a/src/man/po/ro.po b/src/man/po/ro.po
new file mode 100644
index 00000000000..e1d2408ae9a
--- /dev/null
+++ b/src/man/po/ro.po
@@ -0,0 +1,18798 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR Red Hat
+# This file is distributed under the same license as the sssd-docs package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: sssd-docs 2.12.0\n"
+"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
+"POT-Creation-Date: 2026-01-14 15:00+0000\n"
+"PO-Revision-Date: 2026-05-14 05:59+0000\n"
+"Last-Translator: Petru Rebeja <petru@rebeja.eu>\n"
+"Language-Team: Romanian <https://translate.fedoraproject.org/projects/sssd/"
+"sssd-manpage-master/ro/>\n"
+"Language: ro\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < "
+"20)) ? 1 : 2;\n"
+"X-Generator: Weblate 5.17.1\n"
+
+#. type: Content of: <reference><title>
+#: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5
+#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5
+#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd-idp.5.xml:5
+#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sssd-krb5.5.xml:5
+#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
+#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
+#: sss_ssh_knownhosts.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5
+#: sssd-ldap-attributes.5.xml:5 sssd_krb5_localauth_plugin.8.xml:5
+msgid "SSSD Manual pages"
+msgstr "Pagini ale manualului SSSD"
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.conf.5.xml:13 sssd.conf.5.xml:19
+msgid "sssd.conf"
+msgstr "sssd.conf"
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.conf.5.xml:14 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
+#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11
+#: sssd-idp.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-session-recording.5.xml:11
+#: sssd-systemtap.5.xml:11 sssd-ldap-attributes.5.xml:11
+msgid "5"
+msgstr "5"
+
+#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
+#: sssd.conf.5.xml:15 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
+#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12
+#: sssd-idp.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12
+#: sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12
+msgid "File Formats and Conventions"
+msgstr "Formate ale fișierelor și convenții"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.conf.5.xml:20
+msgid "the configuration file for SSSD"
+msgstr "fișierul de configurare al SSSD"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:24
+msgid "FILE FORMAT"
+msgstr "FORMAT FIȘIER"
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:32
+#, no-wrap
+msgid ""
+"<replaceable>[section]</replaceable>\n"
+"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
+"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:27
+msgid ""
+"The file has an ini-style syntax and consists of sections and parameters. A "
+"section begins with the name of the section in square brackets and continues "
+"until the next section begins. An example of section with single and "
+"multi-valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:39
+msgid ""
+"The data types used are string (no quotes needed), integer and bool (with "
+"values of <quote>TRUE/FALSE</quote>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:44
+msgid ""
+"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon "
+"(<quote>;</quote>).  Inline comments are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:50
+msgid ""
+"All sections can have an optional <replaceable>description</replaceable> "
+"parameter. Its function is only as a label for the section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:56
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file that is owned, "
+"readable, and writeable only by 'root'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:60
+msgid ""
+"<filename>sssd.conf</filename> must be a regular file that is accessible "
+"only by the user used to run SSSD service or root."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:66
+msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:69
+msgid ""
+"The configuration file <filename>sssd.conf</filename> will include "
+"configuration snippets using the include directory "
+"<filename>conf.d</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:75
+msgid ""
+"Any file placed in <filename>conf.d</filename> that ends in "
+"<quote><filename>.conf</filename></quote> and does not begin with a dot "
+"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> "
+"to configure SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:83
+msgid ""
+"The configuration snippets from <filename>conf.d</filename> have higher "
+"priority than <filename>sssd.conf</filename> and will override "
+"<filename>sssd.conf</filename> when conflicts occur. If several snippets are "
+"present in <filename>conf.d</filename>, then they are included in "
+"alphabetical order (based on locale).  Files included later have higher "
+"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, "
+"<filename>02_snippet.conf</filename> etc.) can help visualize the priority "
+"(higher number means higher priority)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:97
+msgid ""
+"The snippet files require the same owner and permissions as "
+"<filename>sssd.conf</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:103
+msgid "GENERAL OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:105
+msgid "Following options are usable in more than one configuration sections."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:109
+msgid "Options usable in all sections"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:113
+msgid "debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:117
+msgid "debug (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:120
+msgid ""
+"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias "
+"for <replaceable>debug_level</replaceable> as a convenience feature. If both "
+"are specified, the value of <replaceable>debug_level</replaceable> will be "
+"used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:130
+msgid "debug_timestamps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:133
+msgid ""
+"Add a timestamp to the debug messages.  If journald is enabled for SSSD "
+"debug logging this option is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:138 sssd.conf.5.xml:175 sssd.conf.5.xml:337
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:668 sssd.conf.5.xml:875
+#: sssd.conf.5.xml:979 sssd.conf.5.xml:2113 sssd-ldap.5.xml:979
+#: sssd-ldap.5.xml:1134 sssd-ldap.5.xml:1237 sssd-ldap.5.xml:1306
+#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1848 sssd-ldap.5.xml:1913
+#: sssd-ipa.5.xml:346 sssd-ad.5.xml:252 sssd-ad.5.xml:367 sssd-ad.5.xml:1180
+#: sssd-ad.5.xml:1382 sssd-krb5.5.xml:358
+msgid "Default: true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:143
+msgid "debug_microseconds (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:146
+msgid ""
+"Add microseconds to the timestamp in debug messages.  If journald is enabled "
+"for SSSD debug logging this option is ignored."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:151 sssd.conf.5.xml:2040 sssd.conf.5.xml:4158
+#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:998 sssd-ldap.5.xml:1209
+#: sssd-ldap.5.xml:1663 sssd-ldap.5.xml:1937 sssd-ipa.5.xml:146
+#: sssd-ipa.5.xml:706 sssd-ad.5.xml:1135 sssd-krb5.5.xml:268
+#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:432 include/krb5_options.xml:163
+msgid "Default: false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:156
+msgid "debug_backtrace_enabled (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:159
+msgid "Enable debug backtrace."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:162
+msgid ""
+"In case SSSD is run with debug_level less than 9, everything is logged to a "
+"ring buffer in memory and flushed to a log file on any error up to and "
+"including `min(0x0040, debug_level)` (i.e. if debug_level is explicitly set "
+"to 0 or 1 then only those error levels will trigger backtrace, otherwise up "
+"to 2)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:171
+msgid ""
+"Feature is only supported for `logger == files` (i.e.  setting doesn't have "
+"effect for other logger types)."
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: sssd.conf.5.xml:111 sssd.conf.5.xml:186 sssd-ldap.5.xml:1754
+#: sssd-ldap.5.xml:1960 sss-certmap.5.xml:645 sssd-systemtap.5.xml:82
+#: sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274
+#: sssd-systemtap.5.xml:330 sssd-ldap-attributes.5.xml:40
+#: sssd-ldap-attributes.5.xml:661 sssd-ldap-attributes.5.xml:803
+#: sssd-ldap-attributes.5.xml:892 sssd-ldap-attributes.5.xml:989
+#: sssd-ldap-attributes.5.xml:1047 sssd-ldap-attributes.5.xml:1205
+#: sssd-ldap-attributes.5.xml:1250 sssd-ldap-attributes.5.xml:1295
+#: include/autofs_attributes.xml:1 include/krb5_options.xml:1
+msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:184
+msgid "Options usable in SERVICE and DOMAIN sections"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:188
+msgid "timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:191
+msgid ""
+"Timeout in seconds between heartbeats for this service. This is used to "
+"ensure that the process is alive and capable of answering requests. Note "
+"that after three missed heartbeats the process will terminate itself."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:198 sssd.conf.5.xml:1199 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:4174 sssd-ldap.5.xml:825 sssd-idp.5.xml:192
+#: include/ldap_id_mapping.xml:270
+msgid "Default: 10"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:208
+msgid "SPECIAL SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:211
+msgid "The [sssd] section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><title>
+#: sssd.conf.5.xml:220
+msgid "Section parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:222
+msgid "services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:225
+msgid ""
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or D-Bus "
+"activated when needed.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:234
+msgid ""
+"Supported services: nss, pam, ifp <phrase condition=\"with_sudo\">, "
+"sudo</phrase> <phrase condition=\"with_autofs\">, autofs</phrase> <phrase "
+"condition=\"with_ssh\">, ssh</phrase> <phrase "
+"condition=\"with_pac_responder\">, pac</phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:241
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:250
+msgid "domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:253
+msgid ""
+"A domain is a database containing user information. SSSD can use more "
+"domains at the same time, but at least one must be configured or SSSD won't "
+"start.  This parameter describes the list of domains in the order you want "
+"them to be queried.  A domain name is recommended to contain only "
+"alphanumeric ASCII characters, dashes, dots and underscores. '/' character "
+"is forbidden."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:266 sssd.conf.5.xml:3467
+msgid "re_expression (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:269
+msgid ""
+"Default regular expression that describes how to parse the string containing "
+"user name and domain into these components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:274
+msgid ""
+"Each domain can have an individual regular expression configured. For some "
+"ID providers there are also default regular expressions. See DOMAIN SECTIONS "
+"for more info on these regular expressions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:3524
+msgid "full_name_format (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:286 sssd.conf.5.xml:3527
+msgid ""
+"A <citerefentry> <refentrytitle>printf</refentrytitle> "
+"<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes "
+"how to compose a fully qualified name from user name and domain name "
+"components."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:297 sssd.conf.5.xml:3538
+msgid "%1$s"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:298 sssd.conf.5.xml:3539
+msgid "user name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:3542
+msgid "%2$s"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:3545
+msgid "domain name as specified in the SSSD config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:310 sssd.conf.5.xml:3551
+msgid "%3$s"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:313 sssd.conf.5.xml:3554
+msgid ""
+"domain flat name. Mostly usable for Active Directory domains, both directly "
+"configured or discovered via IPA trusts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:294 sssd.conf.5.xml:3535
+msgid ""
+"The following expansions are supported: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:323
+msgid ""
+"Each domain can have an individual format string configured.  See DOMAIN "
+"SECTIONS for more info on this option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:329
+msgid "monitor_resolv_conf (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:332
+msgid ""
+"Controls if SSSD should monitor the state of resolv.conf to identify when it "
+"needs to update its internal DNS resolver."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:342
+msgid "try_inotify (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:345
+msgid ""
+"By default, SSSD will attempt to use inotify to monitor configuration files "
+"changes and will fall back to polling every five seconds if inotify cannot "
+"be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:351
+msgid ""
+"There are some limited situations where it is preferred that we should skip "
+"even trying to use inotify. In these rare cases, this option should be set "
+"to 'false'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:357
+msgid ""
+"Default: true on platforms where inotify is supported. False on other "
+"platforms."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:361
+msgid ""
+"Note: this option will have no effect on platforms where inotify is "
+"unavailable. On these platforms, polling will always be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:368
+msgid "krb5_rcache_dir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:371
+msgid ""
+"Directory on the filesystem where SSSD should store Kerberos replay cache "
+"files."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:375
+msgid ""
+"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
+"SSSD to let libkrb5 decide the appropriate location for the replay cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:381
+msgid ""
+"Default: Distribution-specific and specified at "
+"build-time. (__LIBKRB5_DEFAULTS__ if not configured)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:388
+msgid "default_domain_suffix (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:391
+msgid ""
+"Please note that this option is deprecated and domain_resolution_order "
+"should be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:395
+msgid ""
+"This string will be used as a default domain name for all names without a "
+"domain name component. The main use case is environments where the primary "
+"domain is intended for managing host policies and all users are located in a "
+"trusted domain.  The option allows those users to log in just with their "
+"user name without giving a domain name as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:405
+msgid ""
+"Please note that if this option is set all users from the primary domain "
+"have to use their fully qualified name, e.g. user@domain.name, to log "
+"in. Setting this option changes default of use_fully_qualified_names to "
+"True. It is not allowed to use this option together with "
+"use_fully_qualified_names set to False."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:414 sssd-ldap.5.xml:937 sssd-ldap.5.xml:949
+#: sssd-ldap.5.xml:1042 sssd-ad.5.xml:921 sssd-ad.5.xml:996 sssd-krb5.5.xml:468
+#: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:978
+#: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222
+#: include/krb5_options.xml:148
+msgid "Default: not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:419
+msgid "override_space (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:422
+msgid ""
+"This parameter will replace spaces (space bar)  with the given character for "
+"user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
+"&quot;john_doe&quot; This feature was added to help compatibility with shell "
+"scripts that have difficulty handling spaces, due to the default field "
+"separator in the shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:431
+msgid ""
+"Please note it is a configuration error to use a replacement character that "
+"might be used in user or group names. If a name contains the replacement "
+"character SSSD tries to return the unmodified name but in general the result "
+"of a lookup is undefined."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:439
+msgid "Default: not set (spaces will not be replaced)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:444
+msgid "certificate_verification (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:452
+msgid "no_ocsp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:454
+msgid ""
+"Disables Online Certificate Status Protocol (OCSP) checks. This might be "
+"needed if the OCSP servers defined in the certificate are not reachable from "
+"the client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:462
+msgid "soft_ocsp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:464
+msgid ""
+"If a connection cannot be established to an OCSP responder the OCSP check is "
+"skipped.  This option should be used to allow authentication when the system "
+"is offline and the OCSP responder cannot be reached."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:474
+msgid "ocsp_dgst"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:476
+msgid ""
+"Digest (hash) function used to create the certificate ID for the OCSP "
+"request. Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:480
+msgid "sha1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:481
+msgid "sha256"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:482
+msgid "sha384"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:483
+msgid "sha512"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:486
+msgid "Default: sha1 (to allow compatibility with RFC5019-compliant responder)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:492
+msgid "no_verification"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"Disables verification completely.  This option should only be used for "
+"testing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:500
+msgid "partial_chain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:502
+msgid ""
+"Allow verification to succeed even if a <replaceable>complete</replaceable> "
+"chain cannot be built to a self-signed trust-anchor, provided it is possible "
+"to construct a chain to a trusted certificate that might not be self-signed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:511
+msgid "ocsp_default_responder=URL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:513
+msgid ""
+"Sets the OCSP default responder which should be used instead of the one "
+"mentioned in the certificate. URL must be replaced with the URL of the OCSP "
+"default responder e.g.  http://example.com:80/ocsp."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:523
+msgid "ocsp_default_responder_signing_cert=NAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:525
+msgid ""
+"This option is currently ignored. All needed certificates must be available "
+"in the PEM file given by pam_cert_db_path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:533
+msgid "crl_file=/PATH/TO/CRL/FILE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:535
+msgid ""
+"Use the Certificate Revocation List (CRL) from the given file during the "
+"verification of the certificate. The CRL must be given in PEM format, see "
+"<citerefentry> <refentrytitle>crl</refentrytitle> "
+"<manvolnum>1ssl</manvolnum> </citerefentry> for details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:548
+msgid "soft_crl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:551
+msgid ""
+"If a Certificate Revocation List (CRL)  is expired ignore the expiration "
+"time of the CRL and check the related certificates with the expired "
+"CRL. This option should be used to allow authentication when the system is "
+"offline and the CRL cannot be renewed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:447
+msgid ""
+"With this parameter the certificate verification can be tuned with a comma "
+"separated list of options. Supported options are: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:564
+msgid "Unknown options are reported but ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:567
+msgid "Default: not set, i.e. do not restrict certificate verification"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:573
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:576
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:581
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:586
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:591
+msgid "domain_resolution_order"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:594
+msgid ""
+"Comma separated list of domains and subdomains representing the lookup order "
+"that will be followed.  The list doesn't have to include all possible "
+"domains as the missing domains will be looked up based on the order they're "
+"presented in the <quote>domains</quote> configuration option.  The "
+"subdomains which are not listed as part of <quote>lookup_order</quote> will "
+"be looked up in a random order for each parent domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:606
+msgid ""
+"Please, note that when this option is set the output format of all commands "
+"is always fully-qualified even when using short names for input.  In case "
+"the administrator wants the output not fully-qualified, the full_name_format "
+"option can be used as shown below: <quote>full_name_format=%1$s</quote> "
+"However, keep in mind that during login, login applications often "
+"canonicalize the username by calling <citerefentry> "
+"<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> "
+"</citerefentry> which, if a shortname is returned for a qualified input "
+"(while trying to reach a user which exists in multiple domains) might "
+"re-route the login attempt into the domain which uses shortnames, making "
+"this workaround totally not recommended in cases where usernames may overlap "
+"between domains."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630 sssd.conf.5.xml:1697 sssd.conf.5.xml:4224
+#: sssd-ad.5.xml:187 sssd-ad.5.xml:328 sssd-ad.5.xml:342 sssd-idp.5.xml:108
+#: sssd-idp.5.xml:132 sssd-idp.5.xml:145 sssd-idp.5.xml:159 sssd-idp.5.xml:180
+msgid "Default: Not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:635
+msgid "implicit_pac_responder (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:638
+msgid ""
+"The PAC responder is enabled automatically for the IPA and AD provider to "
+"evaluate and check the PAC. If it has to be disabled set this option to "
+"'false'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:649
+msgid "core_dumpable (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:652
+msgid ""
+"This option can be used for general system hardening: setting it to 'false' "
+"forbids core dumps for all SSSD processes to avoid leaking plain text "
+"passwords. See man page prctl:PR_SET_DUMPABLE on Linux or "
+"procctl:PROC_TRACE_CTL on FreeBSD for details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:660
+msgid ""
+"Take a note that this setting has no effect for 'ldap_child', 'krb5_child' "
+"and 'sssd_pam' as those privileged binaries can have a copy of a host keytab "
+"data in a memory and their behavior in this regards is governed by "
+"/proc/sys/fs/suid_dumpable system setting."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:673
+msgid "passkey_verification (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:681
+msgid "user_verification (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:683
+msgid ""
+"Enable or disable the user verification (i.e. PIN, fingerprint)  during "
+"authentication. If enabled, the PIN will always be requested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:689
+msgid ""
+"The default is that the key settings decide what to do. In the IPA or "
+"kerberos pre-authentication case, this value will be overwritten by the "
+"server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:676
+msgid ""
+"With this parameter the passkey verification can be tuned with a comma "
+"separated list of options. Supported options are: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:213
+msgid ""
+"Individual pieces of SSSD functionality are provided by special SSSD "
+"services that are started and stopped together with SSSD.  The services are "
+"managed by a special service frequently called <quote>monitor</quote>. The "
+"<quote>[sssd]</quote> section is used to configure the monitor as well as "
+"some other important options like the identity domains.  <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:708
+msgid "SERVICES SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:710
+msgid ""
+"Settings that can be used to configure different services are described in "
+"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
+"section, for example, for NSS service, the section would be "
+"<quote>[nss]</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:717
+msgid "General service configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:719
+msgid "These options can be used to configure any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:723
+msgid "fd_limit"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:726
+msgid ""
+"This option specifies the maximum number of file descriptors that may be "
+"opened at one time by this SSSD process. On systems where SSSD is granted "
+"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On "
+"systems without this capability, the resulting value will be the lower value "
+"of this or the limits.conf \"hard\" limit."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:735
+msgid "Default: 8192 (or limits.conf \"hard\" limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:740
+msgid "client_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:743
+msgid ""
+"This option specifies the number of seconds that a client of an SSSD process "
+"can hold onto a file descriptor without communicating on it. This value is "
+"limited in order to avoid resource exhaustion on the system. The timeout "
+"can't be shorter than 10 seconds. If a lower value is configured, it will be "
+"adjusted to 10 seconds."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:752
+msgid "Default: 60, KCM: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:757
+msgid "offline_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:760
+msgid ""
+"When SSSD switches to offline mode the amount of time before it tries to go "
+"back online will increase based upon the time spent disconnected.  By "
+"default SSSD uses incremental behaviour to calculate delay in between "
+"retries.  So, the wait time for a given retry will be longer than the wait "
+"time for the previous ones.  After each unsuccessful attempt to go online, "
+"the new interval is recalculated by the following:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:771 sssd.conf.5.xml:827
+msgid ""
+"new_delay = Minimum(old_delay * 2, offline_timeout_max) + "
+"random[0...offline_timeout_random_offset]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:774
+msgid ""
+"The offline_timeout default value is 60.  The offline_timeout_max default "
+"value is 3600.  The offline_timeout_random_offset default value is 30.  The "
+"end result is amount of seconds before next retry."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:780
+msgid ""
+"Note that the maximum length of each interval is defined by "
+"offline_timeout_max (apart of random part)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:784 sssd.conf.5.xml:1110 sssd.conf.5.xml:1490
+#: sssd.conf.5.xml:1791 sssd-ldap.5.xml:550
+msgid "Default: 60"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:789
+msgid "offline_timeout_max (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:792
+msgid ""
+"Controls by how much the time between attempts to go online can be "
+"incremented following unsuccessful attempts to go online."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:797
+msgid "A value of 0 disables the incrementing behaviour."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:800
+msgid ""
+"The value of this parameter should be set in correlation to offline_timeout "
+"parameter value."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:804
+msgid ""
+"With offline_timeout set to 60 (default value) there is no point in setting "
+"offlinet_timeout_max to less than 120 as it will saturate instantly. General "
+"rule here should be to set offline_timeout_max to at least 4 times "
+"offline_timeout."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:810
+msgid ""
+"Although a value between 0 and offline_timeout may be specified, it has the "
+"effect of overriding the offline_timeout value so is of little use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:815
+msgid "Default: 3600"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:820
+msgid "offline_timeout_random_offset (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:823
+msgid ""
+"When SSSD is in offline mode it keeps probing backend servers in specified "
+"time intervals:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:830
+msgid ""
+"This parameter controls the value of the random offset used for the above "
+"equation. Final random_offset value will be random number in range:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:835
+msgid "[0 - offline_timeout_random_offset]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:838
+msgid "A value of 0 disables the random offset addition."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:841
+msgid "Default: 30"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:846
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:849
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or D-Bus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:863 sssd.conf.5.xml:1123 sssd.conf.5.xml:2248
+#: sssd-ldap.5.xml:377
+msgid "Default: 300"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:868
+msgid "cache_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:871
+msgid ""
+"This option specifies whether the responder should query all caches before "
+"querying the Data Providers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:883
+msgid "NSS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:885
+msgid ""
+"These options can be used to configure the Name Service Switch (NSS) "
+"service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:890
+msgid "enum_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:893
+msgid ""
+"How many seconds should nss_sss cache enumerations (requests for info about "
+"all users)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:897
+msgid "Default: 120"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:902
+msgid "entry_cache_nowait_percentage (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:905
+msgid ""
+"The entry cache can be set to automatically update entries in the background "
+"if they are requested beyond a percentage of the entry_cache_timeout value "
+"for the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:911
+msgid ""
+"For example, if the domain's entry_cache_timeout is set to 30s and "
+"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
+"after 15 seconds past the last cache update will be returned immediately, "
+"but the SSSD will go and update the cache on its own, so that future "
+"requests will not need to block waiting for a cache update."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:921
+msgid ""
+"Valid values for this option are 0-99 and represent a percentage of the "
+"entry_cache_timeout for each domain. For performance reasons, this "
+"percentage will never reduce the nowait timeout to less than 10 seconds.  (0 "
+"disables this feature)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:929 sssd.conf.5.xml:2061
+msgid "Default: 50"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:934
+msgid "entry_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:937
+msgid ""
+"Specifies for how many seconds nss_sss should cache negative cache hits "
+"(that is, queries for invalid database entries, like nonexistent ones)  "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:1685 sssd.conf.5.xml:2085
+msgid "Default: 15"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:948
+msgid "filter_users, filter_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:951
+msgid ""
+"Exclude certain users or groups from being fetched from the sss NSS "
+"database. This is particularly useful for system accounts. This option can "
+"also be set per-domain or include fully-qualified names to filter only users "
+"from the particular domain or by a user principal name (UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:959
+msgid ""
+"NOTE: The filter_groups option doesn't affect inheritance of nested group "
+"members, since filtering happens after they are propagated for returning via "
+"NSS. E.g. a group having a member group filtered out will still have the "
+"member users of the latter listed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:967
+msgid "Default: root"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:972
+msgid "filter_users_in_groups (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:975
+msgid "If you want filtered user still be group members set this option to false."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:986
+msgid "fallback_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:989
+msgid ""
+"Set a default template for a user's home directory if one is not specified "
+"explicitly by the domain's data provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:994
+msgid "The available values for this option are the same as for override_homedir."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1000
+#, no-wrap
+msgid ""
+"fallback_homedir = /home/%u\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: sssd.conf.5.xml:998 sssd.conf.5.xml:1557 sssd.conf.5.xml:1576
+#: sssd.conf.5.xml:1653 sssd-krb5.5.xml:451 include/override_homedir.xml:78
+msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1004
+msgid "Default: not set (no substitution for unset home directories)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1010
+msgid "override_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1013
+msgid ""
+"Override the login shell for all users. This option supersedes any other "
+"shell options if it takes effect and can be set either in the [nss] section "
+"or per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1019
+msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1025
+msgid "allowed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1028
+msgid "Restrict user shell to one of the listed values. The order of evaluation is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1031
+msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1035
+msgid ""
+"2. If the shell is in the allowed_shells list but not in "
+"<quote>/etc/shells</quote>, use the value of the shell_fallback parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1040
+msgid ""
+"3. If the shell is not in the allowed_shells list and not in "
+"<quote>/etc/shells</quote>, a nologin shell is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1045
+msgid "The wildcard (*) can be used to allow any shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1048
+msgid ""
+"The (*) is useful if you want to use shell_fallback in case that user's "
+"shell is not in <quote>/etc/shells</quote> and maintaining list of all "
+"allowed shells in allowed_shells would be to much overhead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "An empty string for shell is passed as-is to libc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1058
+msgid ""
+"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
+"that a restart of the SSSD is required in case a new shell is installed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1062
+msgid "Default: Not set. The user shell is automatically used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1067
+msgid "vetoed_shells (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1070
+msgid "Replace any instance of these shells with the shell_fallback"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1075
+msgid "shell_fallback (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1078
+msgid ""
+"The default shell to use if an allowed shell is not installed on the "
+"machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1082
+msgid "Default: /bin/sh"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1087
+msgid "default_shell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1090
+msgid ""
+"The default shell to use if the provider does not return one during "
+"lookup. This option can be specified globally in the [nss] section or "
+"per-domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1096
+msgid ""
+"Default: not set (Return NULL if no shell is specified and rely on libc to "
+"substitute something sensible when necessary, usually /bin/sh)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1103 sssd.conf.5.xml:1483
+msgid "get_domains_timeout (int)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1486
+msgid ""
+"Specifies time in seconds for which the list of subdomains will be "
+"considered valid."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1115
+msgid "memcache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1118
+msgid ""
+"Specifies time in seconds for which records in the in-memory cache will be "
+"valid. Setting this option to zero will disable the in-memory cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1126
+msgid ""
+"WARNING: Disabling the in-memory cache will have significant negative impact "
+"on SSSD's performance and should only be used for testing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1132 sssd.conf.5.xml:1157 sssd.conf.5.xml:1182
+#: sssd.conf.5.xml:1207 sssd.conf.5.xml:1234
+msgid ""
+"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
+"client applications will not use the fast in-memory cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1140
+msgid "memcache_size_passwd (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1143
+msgid ""
+"Size (in megabytes) of the data table allocated inside fast in-memory cache "
+"for passwd requests.  Setting the size to 0 will disable the passwd "
+"in-memory cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1149 sssd.conf.5.xml:2888 sssd-ldap.5.xml:604
+msgid "Default: 8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1152 sssd.conf.5.xml:1177 sssd.conf.5.xml:1202
+#: sssd.conf.5.xml:1229
+msgid ""
+"WARNING: Disabled or too small in-memory cache can have significant negative "
+"impact on SSSD's performance."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1165
+msgid "memcache_size_group (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1168
+msgid ""
+"Size (in megabytes) of the data table allocated inside fast in-memory cache "
+"for group requests.  Setting the size to 0 will disable the group in-memory "
+"cache."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1174 sssd.conf.5.xml:1226 sssd.conf.5.xml:3656
+#: sssd-ldap.5.xml:534 sssd-ldap.5.xml:581 include/failover.xml:116
+#: include/krb5_options.xml:11
+msgid "Default: 6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1190
+msgid "memcache_size_initgroups (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1193
+msgid ""
+"Size (in megabytes) of the data table allocated inside fast in-memory cache "
+"for initgroups requests.  Setting the size to 0 will disable the initgroups "
+"in-memory cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1215
+msgid "memcache_size_sid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1218
+msgid ""
+"Size (in megabytes) of the data table allocated inside fast in-memory cache "
+"for SID related requests.  Only SID-by-ID and ID-by-SID requests are "
+"currently cached in fast in-memory cache.  Setting the size to 0 will "
+"disable the SID in-memory cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1242 sssd-ifp.5.xml:90
+msgid "user_attributes (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1245
+msgid ""
+"Some of the additional NSS responder requests can return more attributes "
+"than just the POSIX ones defined by the NSS interface. The list of "
+"attributes is controlled by this option. It is handled the same way as the "
+"<quote>user_attributes</quote> option of the InfoPipe responder (see "
+"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for details) but with no default "
+"values."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1258
+msgid ""
+"To make configuration more easy the NSS responder will check the InfoPipe "
+"option if it is not set for the NSS responder."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1263
+msgid "Default: not set, fallback to InfoPipe option"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1268
+msgid "pwfield (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1271
+msgid ""
+"The value that NSS operations that return users or groups will return for "
+"the <quote>password</quote> field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1276
+msgid "Default: <quote>*</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1279
+msgid ""
+"Note: This option can also be set per-domain which overwrites the value in "
+"[nss] section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1283
+msgid ""
+"Default: <quote>not set</quote> (remote domains), <quote>x</quote> (proxy "
+"domain with nss_files and sssd-shadowutils target)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:1292
+msgid "PAM configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:1294
+msgid ""
+"These options can be used to configure the Pluggable Authentication Module "
+"(PAM) service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1299
+msgid "offline_credentials_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1302
+msgid ""
+"If the authentication provider is offline, how long should we allow cached "
+"logins (in days since the last successful online login)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1307 sssd.conf.5.xml:1320
+msgid "Default: 0 (No limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1313
+msgid "offline_failed_login_attempts (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1316
+msgid ""
+"If the authentication provider is offline, how many failed login attempts "
+"are allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1326
+msgid "offline_failed_login_delay (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1329
+msgid ""
+"The time in minutes which has to pass after offline_failed_login_attempts "
+"has been reached before a new login attempt is possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1334
+msgid ""
+"If set to 0 the user cannot authenticate offline if "
+"offline_failed_login_attempts has been reached. Only a successful online "
+"authentication can enable offline authentication again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1340 sssd.conf.5.xml:1450
+msgid "Default: 5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1346
+msgid "pam_verbosity (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1349
+msgid ""
+"Controls what kind of messages are shown to the user during "
+"authentication. The higher the number to more messages are displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1354
+msgid "Currently sssd supports the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1357
+msgid "<emphasis>0</emphasis>: do not show any message"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1360
+msgid "<emphasis>1</emphasis>: show only important messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1364
+msgid "<emphasis>2</emphasis>: show informational messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1367
+msgid "<emphasis>3</emphasis>: show all messages and debug information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1371 sssd.8.xml:63
+msgid "Default: 1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1377
+msgid "pam_response_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1380
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data sent "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses sent to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1388
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1395
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1396
+msgid "Do not send any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1399
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1400
+msgid "Do not send environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1404
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1405
+msgid "Do not send environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1393
+msgid ""
+"Currently the following filters are supported: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1412
+msgid ""
+"The list of strings can either be the list of filters which would set this "
+"list of filters and overwrite the defaults. Or each element of the list can "
+"be prefixed by a '+' or '-' character which would add the filter to the "
+"existing default or remove it from the defaults, respectively. Please note "
+"that either all list elements must have a '+' or '-' prefix or none. It is "
+"considered as an error to mix both styles."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1423
+msgid "Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1426
+msgid "Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default list"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1433
+msgid "pam_id_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1436
+msgid ""
+"For any PAM request while SSSD is online, the SSSD will attempt to "
+"immediately update the cached identity information for the user in order to "
+"ensure that authentication takes place with the latest information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1442
+msgid ""
+"A complete PAM conversation may perform multiple PAM requests, such as "
+"account management and session opening. This option controls (on a "
+"per-client-application basis) how long (in seconds) we can cache the "
+"identity information to avoid excessive round-trips to the identity "
+"provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1456
+msgid "pam_pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1459 sssd.conf.5.xml:2912
+msgid "Display a warning N days before the password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1462
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1468 sssd.conf.5.xml:2915
+msgid ""
+"If zero is set, then this filter is not applied, i.e. if the expiration "
+"warning was received from backend server, it will automatically be "
+"displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1473
+msgid ""
+"This setting can be overridden by setting "
+"<emphasis>pwd_expiration_warning</emphasis> for a particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1478 sssd.conf.5.xml:3913 sssd-ldap.5.xml:662
+#: sssd-ldap.5.xml:1733 sssd.8.xml:79
+msgid "Default: 0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1495
+msgid "pam_trusted_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1498
+msgid ""
+"Specifies the comma-separated list of UID values or user names that are "
+"allowed to run PAM conversations against trusted domains.  Users not "
+"included in this list can only access domains marked as public with "
+"<quote>pam_public_domains</quote>.  User names are resolved to UIDs at "
+"startup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1508
+msgid "Default: All users are considered trusted by default"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1512
+msgid ""
+"Please note that UID 0 is always allowed to access the PAM responder even in "
+"case it is not in the pam_trusted_users list."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1519
+msgid "pam_public_domains (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1522
+msgid ""
+"Specifies the comma-separated list of domain names that are accessible even "
+"to untrusted users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1526
+msgid "Two special values for pam_public_domains option are defined:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1530
+msgid "all (Untrusted users are allowed to access all domains in PAM responder.)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1534
+msgid ""
+"none (Untrusted users are not allowed to access any domains PAM in "
+"responder.)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1538 sssd.conf.5.xml:1563 sssd.conf.5.xml:1582
+#: sssd.conf.5.xml:1824 sssd.conf.5.xml:3842 sssd-ldap.5.xml:1270
+msgid "Default: none"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1543
+msgid "pam_account_expired_message (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1546
+msgid ""
+"Allows a custom expiration message to be set, replacing the default "
+"'Permission denied' message."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1551
+msgid ""
+"Note: Please be aware that message is only printed for the SSH service "
+"unless pam_verbosity is set to 3 (show all messages and debug information)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1559
+#, no-wrap
+msgid ""
+"pam_account_expired_message = Account expired, please contact help desk.\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1568
+msgid "pam_account_locked_message (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1571
+msgid ""
+"Allows a custom lockout message to be set, replacing the default 'Permission "
+"denied' message."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1578
+#, no-wrap
+msgid ""
+"pam_account_locked_message = Account locked, please contact help desk.\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1587
+msgid "pam_passkey_auth (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1590
+msgid "Enable passkey device based authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1593 sssd.conf.5.xml:1910 sssd-ad.5.xml:1286
+#: sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1598
+msgid "passkey_debug_libfido2 (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1601
+msgid "Enable libfido2 library debug messages."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1604 sssd.conf.5.xml:1618 sssd-ldap.5.xml:727
+#: sssd-ldap.5.xml:752 sssd-ldap.5.xml:848 sssd-ldap.5.xml:1356
+#: sssd-ad.5.xml:506 sssd-ad.5.xml:582 sssd-ad.5.xml:1155
+#: include/ldap_id_mapping.xml:250
+msgid "Default: False"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1609
+msgid "pam_cert_auth (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1612
+msgid ""
+"Enable certificate based Smartcard authentication.  Since this requires "
+"additional communication with the Smartcard which will delay the "
+"authentication process this option is disabled by default."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1623
+msgid "pam_cert_db_path (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1626
+msgid "The path to the certificate database."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1629 sssd.conf.5.xml:2163 sssd.conf.5.xml:4338
+msgid "Default:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1631 sssd.conf.5.xml:2165
+msgid ""
+"/etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted CA "
+"certificates in PEM format)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1641
+msgid "pam_cert_verification (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1644
+msgid ""
+"With this parameter the PAM certificate verification can be tuned with a "
+"comma separated list of options that override the "
+"<quote>certificate_verification</quote> value in <quote>[sssd]</quote> "
+"section.  Supported options are the same of "
+"<quote>certificate_verification</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1655
+#, no-wrap
+msgid ""
+"pam_cert_verification = partial_chain\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1659
+msgid ""
+"Default: not set, i.e. use default <quote>certificate_verification</quote> "
+"option defined in <quote>[sssd]</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1666
+msgid "p11_child_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1669
+msgid "How many seconds will pam_sss wait for p11_child to finish."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1678
+msgid "passkey_child_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1681
+msgid "How many seconds will the PAM responder wait for passkey_child to finish."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1690
+msgid "pam_app_services (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1693
+msgid ""
+"Which PAM services are permitted to contact domains of type "
+"<quote>application</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1702
+msgid "pam_p11_allowed_services (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1705
+msgid ""
+"A comma-separated list of PAM service names for which it will be allowed to "
+"use Smartcards."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1720
+#, no-wrap
+msgid ""
+"pam_p11_allowed_services = +my_pam_service, -login\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1709
+msgid ""
+"It is possible to add another PAM service name to the default set by using "
+"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+"the default set by using <quote>-service_name</quote>. For example, in order "
+"to replace a default PAM service name for authentication with Smartcards "
+"(e.g. <quote>login</quote>) with a custom PAM service name "
+"(e.g. <quote>my_pam_service</quote>), you would use the following "
+"configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1724 sssd-ad.5.xml:645 sssd-ad.5.xml:754 sssd-ad.5.xml:812
+#: sssd-ad.5.xml:870 sssd-ad.5.xml:948
+msgid "Default: the default set of PAM service names includes:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1729 sssd-ad.5.xml:649
+msgid "login"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1734 sssd-ad.5.xml:654
+msgid "su"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1739 sssd-ad.5.xml:659
+msgid "su-l"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1744 sssd-ad.5.xml:674
+msgid "gdm-smartcard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1749 sssd-ad.5.xml:669
+msgid "gdm-password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1754
+msgid "gdm-switchable-auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1759 sssd-ad.5.xml:679
+msgid "kdm"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1764 sssd-ad.5.xml:957
+msgid "sudo"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1769 sssd-ad.5.xml:962
+msgid "sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1774
+msgid "gnome-screensaver"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1782
+msgid "p11_wait_for_card_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1785
+msgid ""
+"If Smartcard authentication is required how many extra seconds in addition "
+"to p11_child_timeout should the PAM responder wait until a Smartcard is "
+"inserted."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1796
+msgid "p11_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1799
+msgid ""
+"PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the "
+"selection of devices used for Smartcard authentication. By default SSSD's "
+"p11_child will search for a PKCS#11 slot (reader)  where the 'removable' "
+"flags is set and read the certificates from the inserted token from the "
+"first slot found. If multiple readers are connected p11_uri can be used to "
+"tell p11_child to use a specific reader."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1812
+#, no-wrap
+msgid ""
+"p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1816
+#, no-wrap
+msgid ""
+"p11_uri = "
+"pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1810
+msgid ""
+"Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder "
+"type=\"programlisting\" id=\"1\"/> To find suitable URI please check the "
+"debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' "
+"with e.g. the '--list-all' will show PKCS#11 URIs as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1829
+msgid "pam_initgroups_scheme"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1837
+msgid "always"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1838
+msgid "Always do an online lookup, please note that pam_id_timeout still applies"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1842
+msgid "no_session"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1843
+msgid ""
+"Only do an online lookup if there is no active session of the user, i.e. if "
+"the user is currently not logged in"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1848 sssd-ldap.5.xml:189
+msgid "never"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1849
+msgid ""
+"Never force an online lookup, use the data from the cache as long as they "
+"are not expired"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1832
+msgid ""
+"The PAM responder can force an online lookup to get the current group "
+"memberships of the user trying to log in. This option controls when this "
+"should be done and the following values are allowed: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1856
+msgid "Default: no_session"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1861 sssd.conf.5.xml:4277
+msgid "pam_gssapi_services"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1864
+msgid ""
+"Comma separated list of PAM services that are allowed to try GSSAPI "
+"authentication using pam_sss_gss.so module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1869
+msgid ""
+"To disable GSSAPI authentication, set this option to <quote>-</quote> "
+"(dash)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1873 sssd.conf.5.xml:1904 sssd.conf.5.xml:1942
+msgid ""
+"Note: This option can also be set per-domain which overwrites the value in "
+"[pam] section. It can also be set for trusted domain which overwrites the "
+"value in the domain section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1881
+#, no-wrap
+msgid ""
+"pam_gssapi_services = sudo, sudo-i\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1879 sssd.conf.5.xml:1994 sssd.conf.5.xml:3836
+msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1885
+msgid "Default: - (GSSAPI authentication is disabled)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:1890 sssd.conf.5.xml:4278
+msgid "pam_gssapi_check_upn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1893
+msgid ""
+"If True, SSSD will require that the Kerberos user principal that "
+"successfully authenticated through GSSAPI can be associated with the user "
+"who is being authenticated. Authentication will fail if the check fails."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1900
+msgid ""
+"If False, every user that is able to obtained required service ticket will "
+"be authenticated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1915
+msgid "pam_gssapi_indicators_map"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1918
+msgid ""
+"Comma separated list of authentication indicators required to be present in "
+"a Kerberos ticket to access a PAM service that is allowed to try GSSAPI "
+"authentication using pam_sss_gss.so module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1924
+msgid ""
+"Each element of the list can be either an authentication indicator name or a "
+"pair <quote>service:indicator</quote>. Indicators not prefixed with the PAM "
+"service name will be required to access any PAM service configured to be "
+"used with <option>pam_gssapi_services</option>. A resulting list of "
+"indicators per PAM service is then checked against indicators in the "
+"Kerberos ticket during authentication by pam_sss_gss.so. Any indicator from "
+"the ticket that matches the resulting list of indicators for the PAM service "
+"would grant access. If none of the indicators in the list match, access will "
+"be denied. If the resulting list of indicators for the PAM service is empty, "
+"the check will not prevent the access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1937
+msgid ""
+"To disable GSSAPI authentication indicator check, set this option to "
+"<quote>-</quote> (dash). To disable the check for a specific PAM service, "
+"add <quote>service:-</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1948
+msgid ""
+"Following authentication indicators are supported by IPA Kerberos "
+"deployments:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1951
+msgid ""
+"pkinit -- pre-authentication using X.509 certificates -- whether stored in "
+"files or on smart cards."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1954
+msgid ""
+"hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a "
+"FAST channel."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1957
+msgid "radius -- pre-authentication with the help of a RADIUS server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1960
+msgid ""
+"otp -- pre-authentication using integrated two-factor authentication (2FA or "
+"one-time password, OTP) in IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:1963
+msgid "idp -- pre-authentication using external identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1973
+#, no-wrap
+msgid ""
+"pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1968
+msgid ""
+"Example: to require access to SUDO services only for users which obtained "
+"their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT), "
+"set <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1977
+msgid "Default: not set (use of authentication indicators is not required)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1982
+msgid "pam_json_services (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1985
+msgid ""
+"Comma separated list of PAM services which can handle the JSON protocol for "
+"selecting authentication mechanisms"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1990
+msgid "To disable JSON protocol, set this option to <quote>-</quote> (dash)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:1996
+#, no-wrap
+msgid ""
+"pam_json_services = gdm-switchable-auth\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2000
+msgid "Default: - (JSON protocol is disabled)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2003
+msgid ""
+"Note: 2-Factor Authentication (2FA) is not supported. If 2FA is required, do "
+"not activate the JSON protocol."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:2013
+msgid "SUDO configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:2015
+msgid ""
+"These options can be used to configure the sudo service.  The detailed "
+"instructions for configuration of <citerefentry> "
+"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
+"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> are in the manual page "
+"<citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2032
+msgid "sudo_timed (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2035
+msgid ""
+"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
+"that implement time-dependent sudoers entries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2047
+msgid "sudo_threshold (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2050
+msgid ""
+"Maximum number of expired rules that can be refreshed at once. If number of "
+"expired rules is below threshold, those rules are refreshed with "
+"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a "
+"<quote>full refresh</quote> of sudo rules is triggered instead. This "
+"threshold number also applies to IPA sudo command and command group "
+"searches."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:2069
+msgid "AUTOFS configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:2071
+msgid "These options can be used to configure the autofs service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2075
+msgid "autofs_negative_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2078
+msgid ""
+"Specifies for how many seconds should the autofs responder negative cache "
+"hits (that is, queries for invalid map entries, like nonexistent ones) "
+"before asking the back end again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:2094
+msgid "SSH configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:2096
+msgid "These options can be used to configure the SSH service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2100
+msgid "ssh_use_certificate_keys (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2103
+msgid ""
+"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh "
+"keys derived from the public key of X.509 certificates stored in the user "
+"entry as well. See <citerefentry> "
+"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> "
+"<manvolnum>1</manvolnum> </citerefentry> for details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2118
+msgid "ssh_use_certificate_matching_rules (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2121
+msgid ""
+"By default the ssh responder will use all available certificate matching "
+"rules to filter the certificates so that ssh keys are only derived from the "
+"matching ones. With this option the used rules can be restricted with a "
+"comma separated list of mapping and matching rule names. All other rules "
+"will be ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2130
+msgid ""
+"There are two special key words 'all_rules' and 'no_rules' which will enable "
+"all or no rules, respectively. The latter means that no certificates will be "
+"filtered out and ssh keys will be generated from all valid certificates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2137
+msgid ""
+"If no rules are configured using 'all_rules' will enable a default rule "
+"which enables all certificates suitable for client authentication.  This is "
+"the same behavior as for the PAM responder if certificate authentication is "
+"enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2144
+msgid ""
+"A non-existing rule name is considered an error.  If as a result no rule is "
+"selected all certificates will be ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2149
+msgid ""
+"Default: not set, equivalent to 'all_rules', all found rules or the default "
+"rule are used"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2155
+msgid "ca_db (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2158
+msgid ""
+"Path to a storage of trusted CA certificates. The option is used to validate "
+"user certificates before deriving public ssh keys from them."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:2178
+msgid "PAC responder configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:2180
+msgid ""
+"The PAC responder works together with the authorization data plugin for MIT "
+"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
+"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain "
+"provider collects domain SID and ID ranges of the domain the client is "
+"joined to and of remote trusted domains from the local domain controller. If "
+"the PAC is decoded and evaluated some of the following operations are done:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:2189
+msgid ""
+"If the remote user does not exist in the cache, it is created. The UID is "
+"determined with the help of the SID, trusted domains will have UPGs and the "
+"GID will have the same value as the UID. The home directory is set based on "
+"the subdomain_homedir parameter. The shell will be empty by default, "
+"i.e. the system defaults are used, but can be overwritten with the "
+"default_shell parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:2197
+msgid ""
+"If there are SIDs of groups from domains sssd knows about, the user will be "
+"added to those groups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:2203
+msgid "These options can be used to configure the PAC responder."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2207 sssd-ifp.5.xml:66
+msgid "allowed_uids (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2210
+msgid ""
+"Specifies the comma-separated list of UID values or user names that are "
+"allowed to access the PAC responder. User names are resolved to UIDs at "
+"startup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2216
+msgid ""
+"Default: 0, &sssd_user_name; (only root and SSSD service users are allowed "
+"to access the PAC responder)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2220
+msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2224
+msgid ""
+"Please note that defaults will be overwritten with this option. If you still "
+"want to allow the root and/or '&sssd_user_name;' user to access the PAC "
+"responder, which would be the typical case, you have to add those to the "
+"list of allowed UIDs explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2231
+msgid ""
+"Please note that although the UID 0 is used as the default it will be "
+"overwritten with this option. If you still want to allow the root user to "
+"access the PAC responder, which would be the typical case, you have to add 0 "
+"to the list of allowed UIDs as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2240
+msgid "pac_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2243
+msgid ""
+"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
+"data can be used to determine the group memberships of a user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2253
+msgid "pac_check (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2256
+msgid ""
+"Apply additional checks on the PAC of the Kerberos ticket which is available "
+"in Active Directory and FreeIPA domains, if configured. Please note that "
+"Kerberos ticket validation must be enabled to be able to check the PAC, "
+"i.e. the krb5_validate option must be set to 'True' which is the default for "
+"the IPA and AD provider. If krb5_validate is set to 'False' the PAC checks "
+"will be skipped."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2266
+msgid ""
+"Please note that the checks listed below only apply to PACs issued by Active "
+"Directory or recent versions of FreeIPA. PACs issued e.g. by a plain MIT "
+"Kerberos KDC will not contain the needed PAC data buffers to run the checks."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2277
+msgid "no_check"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2279
+msgid ""
+"The PAC must not be present and even if it is present no additional checks "
+"will be done."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2285
+msgid "pac_present"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2287
+msgid ""
+"The PAC must be present in the service ticket which SSSD will request with "
+"the help of the user's TGT. If the PAC is not available the authentication "
+"will fail."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2295
+msgid "check_upn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2297
+msgid ""
+"If the PAC is present check if the user principal name (UPN) information is "
+"consistent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2303
+msgid "check_upn_allow_missing"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2305
+msgid ""
+"This option should be used together with 'check_upn' and handles the case "
+"where a UPN is set on the server-side but is not read by SSSD. The typical "
+"example is a FreeIPA domain where 'ldap_user_principal' is set to a not "
+"existing attribute name.  This was typically done to work-around issues in "
+"the handling of enterprise principals. But this is fixed since quite some "
+"time and FreeIPA can handle enterprise principals just fine and there is no "
+"need anymore to set 'ldap_user_principal'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2317
+msgid ""
+"Currently this option is set by default to avoid regressions in such "
+"environments. A log message will be added to the system log and SSSD's debug "
+"log in case a UPN is found in the PAC but not in SSSD's cache. To avoid this "
+"log message it would be best to evaluate if the 'ldap_user_principal' option "
+"can be removed.  If this is not possible, removing 'check_upn' will skip the "
+"test and avoid the log message."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2331
+msgid "upn_dns_info_present"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2333
+msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2338
+msgid "check_upn_dns_info_ex"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2340
+msgid ""
+"If the PAC is present and the extension to the UPN-DNS-INFO buffer is "
+"available check if the information in the extension is consistent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2347
+msgid "upn_dns_info_ex_present"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2349
+msgid ""
+"The PAC must contain the extension of the UPN-DNS-INFO buffer, implies "
+"'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2273
+msgid ""
+"The following options can be used alone or in a comma-separated list: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2359
+msgid ""
+"Default: no_check (AD and IPA provider 'check_upn, check_upn_allow_missing, "
+"check_upn_dns_info_ex')"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:2368
+msgid "Session recording configuration options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:2370
+msgid ""
+"Session recording works in conjunction with <citerefentry> "
+"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>, a part of tlog package, to log what users see and type when "
+"they log in on a text terminal.  See also <citerefentry> "
+"<refentrytitle>sssd-session-recording</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:2383
+msgid "These options can be used to configure session recording."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2387 sssd-session-recording.5.xml:64
+msgid "scope (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2394 sssd-session-recording.5.xml:71
+msgid "\"none\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2397 sssd-session-recording.5.xml:74
+msgid "No users are recorded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2402 sssd-session-recording.5.xml:79
+msgid "\"some\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2405 sssd-session-recording.5.xml:82
+msgid ""
+"Users/groups specified by <replaceable>users</replaceable> and "
+"<replaceable>groups</replaceable> options are recorded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2414 sssd-session-recording.5.xml:91
+msgid "\"all\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2417 sssd-session-recording.5.xml:94
+msgid "All users are recorded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2390 sssd-session-recording.5.xml:67
+msgid ""
+"One of the following strings specifying the scope of session recording: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2424 sssd-session-recording.5.xml:101
+msgid "Default: \"none\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2429 sssd-session-recording.5.xml:106
+msgid "users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2432 sssd-session-recording.5.xml:109
+msgid ""
+"A comma-separated list of users which should have session recording "
+"enabled. Matches user names as returned by NSS. I.e. after the possible "
+"space replacement, case changes, etc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2438 sssd-session-recording.5.xml:115
+msgid "Default: Empty. Matches no users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2443 sssd-session-recording.5.xml:120
+msgid "groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2446 sssd-session-recording.5.xml:123
+msgid ""
+"A comma-separated list of groups, members of which should have session "
+"recording enabled. Matches group names as returned by NSS. I.e. after the "
+"possible space replacement, case changes, etc."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2452 sssd.conf.5.xml:2484 sssd-session-recording.5.xml:129
+#: sssd-session-recording.5.xml:161
+msgid ""
+"NOTE: using this option (having it set to anything) has a considerable "
+"performance cost, because each uncached request for a user requires "
+"retrieving and matching the groups the user is member of."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2459 sssd-session-recording.5.xml:136
+msgid "Default: Empty. Matches no groups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2464 sssd-session-recording.5.xml:141
+msgid "exclude_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2467 sssd-session-recording.5.xml:144
+msgid ""
+"A comma-separated list of users to be excluded from recording, only "
+"applicable with 'scope=all'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2471 sssd-session-recording.5.xml:148
+msgid "Default: Empty. No users excluded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2476 sssd-session-recording.5.xml:153
+msgid "exclude_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2479 sssd-session-recording.5.xml:156
+msgid ""
+"A comma-separated list of groups, members of which should be excluded from "
+"recording. Only applicable with 'scope=all'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2491 sssd-session-recording.5.xml:168
+msgid "Default: Empty. No groups excluded."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:2501
+msgid "DOMAIN SECTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
+#: sssd.conf.5.xml:2508 sssd.conf.5.xml:3964 sssd.conf.5.xml:3965
+#: sssd.conf.5.xml:3968
+msgid "enabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2511
+msgid ""
+"Explicitly enable or disable the domain. If <quote>true</quote>, the domain "
+"is always <quote>enabled</quote>. If <quote>false</quote>, the domain is "
+"always <quote>disabled</quote>. If this option is not set, the domain is "
+"enabled only if it is listed in the domains option in the "
+"<quote>[sssd]</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2523
+msgid "domain_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2526
+msgid ""
+"Specifies whether the domain is meant to be used by POSIX-aware clients such "
+"as the Name Service Switch or by applications that do not need POSIX data to "
+"be present or generated. Only objects from POSIX domains are available to "
+"the operating system interfaces and utilities."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2534
+msgid ""
+"Allowed values for this option are <quote>posix</quote> and "
+"<quote>application</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2538
+msgid ""
+"POSIX domains are reachable by all services. Application domains are only "
+"reachable from the InfoPipe responder (see <citerefentry> "
+"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>) and the PAM responder."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2546
+msgid ""
+"NOTE: The application domains are currently well tested with "
+"<quote>id_provider=ldap</quote> only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2550
+msgid ""
+"For an easy way to configure a non-POSIX domains, please see the "
+"<quote>Application domains</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2554
+msgid "Default: posix"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2560
+msgid "min_id,max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2563
+msgid ""
+"UID and GID limits for the domain. If a domain contains an entry that is "
+"outside these limits, it is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2568
+msgid ""
+"For users, this affects the primary GID limit. The user will not be returned "
+"to NSS if either the UID or the primary GID is outside the range. For "
+"non-primary group memberships, those that are in range will be reported as "
+"expected."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2575
+msgid ""
+"These ID limits affect even saving entries to cache, not only returning them "
+"by name or ID."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2579
+msgid "Default: 1 for min_id, 0 (no limit) for max_id"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2585
+msgid "enumerate (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2588
+msgid ""
+"Determines if a domain can be enumerated, that is, whether the domain can "
+"list all the users and group it contains. Note that it is not required to "
+"enable enumeration in order for secondary groups to be displayed. This "
+"parameter can have one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2596
+msgid "TRUE = Users and groups are enumerated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2599
+msgid "FALSE = No enumerations for this domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2602 sssd.conf.5.xml:2867 sssd.conf.5.xml:3044
+msgid "Default: FALSE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2605
+msgid ""
+"Enumerating a domain requires SSSD to download and store ALL user and group "
+"entries from the remote server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2610
+msgid ""
+"Feature is only supported for domains with id_provider = ldap or id_provider "
+"= proxy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2614
+msgid ""
+"Note: Enabling enumeration has a severe performance impact on SSSD while "
+"enumeration is running. It may take up to several minutes after SSSD startup "
+"to fully complete enumerations.  During this time, individual requests for "
+"information will go directly to LDAP, though it may be slow, due to the "
+"heavy enumeration processing. Saving a large number of entries to cache "
+"after the enumeration completes might also be CPU intensive as the "
+"memberships have to be recomputed. This can lead to the "
+"<quote>sssd_be</quote> process becoming unresponsive or even restarted by "
+"the internal watchdog."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2629
+msgid ""
+"While the first enumeration is running, requests for the complete user or "
+"group lists may return no results until it completes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2634
+msgid ""
+"Further, enabling enumeration may increase the time necessary to detect "
+"network disconnection, as longer timeouts are required to ensure that "
+"enumeration lookups are completed successfully.  For more information, refer "
+"to the man pages for the specific id_provider in use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2642
+msgid ""
+"For the reasons cited above, enabling enumeration is not recommended, "
+"especially in large environments."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2647
+msgid ""
+"Note: the proxy provider is tested with open source modules like "
+"'libnss_files' and 'libnss_ldap'.  3rd party modules must follow the "
+"documented behavior of nss modules to be used in this configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2656
+msgid "entry_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2659
+msgid ""
+"How many seconds should nss_sss consider entries valid before asking the "
+"backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2663
+msgid ""
+"The cache expiration timestamps are stored as attributes of individual "
+"objects in the cache. Therefore, changing the cache timeout only has effect "
+"for newly added or expired entries.  You should run the <citerefentry> "
+"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> tool in order to force refresh of entries that have already "
+"been cached."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2676
+msgid "Default: 5400"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2682
+msgid "entry_cache_user_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2685
+msgid ""
+"How many seconds should nss_sss consider user entries valid before asking "
+"the backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2689 sssd.conf.5.xml:2702 sssd.conf.5.xml:2715
+#: sssd.conf.5.xml:2728 sssd.conf.5.xml:2742 sssd.conf.5.xml:2755
+#: sssd.conf.5.xml:2769 sssd.conf.5.xml:2783 sssd.conf.5.xml:2796
+msgid "Default: entry_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2695
+msgid "entry_cache_group_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2698
+msgid ""
+"How many seconds should nss_sss consider group entries valid before asking "
+"the backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2708
+msgid "entry_cache_netgroup_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2711
+msgid ""
+"How many seconds should nss_sss consider netgroup entries valid before "
+"asking the backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2721
+msgid "entry_cache_service_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2724
+msgid ""
+"How many seconds should nss_sss consider service entries valid before asking "
+"the backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2734
+msgid "entry_cache_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2737
+msgid ""
+"How many seconds should nss_sss consider hosts and networks entries valid "
+"before asking the backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2748
+msgid "entry_cache_sudo_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2751
+msgid ""
+"How many seconds should sudo consider rules valid before asking the backend "
+"again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2761
+msgid "entry_cache_autofs_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2764
+msgid ""
+"How many seconds should the autofs service consider automounter maps valid "
+"before asking the backend again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2775
+msgid "entry_cache_ssh_host_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2778
+msgid ""
+"How many seconds to keep a host ssh key after refresh. IE how long to cache "
+"the host key for."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2789
+msgid "entry_cache_computer_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2792
+msgid ""
+"How many seconds to keep the local computer entry before asking the backend "
+"again"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2802
+msgid "refresh_expired_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2805
+msgid ""
+"Specifies how many seconds SSSD has to wait before triggering a background "
+"refresh task which will refresh all expired or nearly expired records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2810
+msgid ""
+"The background refresh will process users, groups and netgroups in the "
+"cache. For users who have performed the initgroups (get group membership for "
+"user, typically ran at login)  operation in the past, both the user entry "
+"and the group membership are updated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2818
+msgid "This option is automatically inherited for all trusted domains."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2822
+msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2826
+msgid ""
+"Cache entry will be refreshed by background task when 2/3 of cache timeout "
+"has already passed.  If there are existing cached entries, the background "
+"task will refer to their original cache timeout values instead of current "
+"configuration value.  This may lead to a situation in which background "
+"refresh task appears to not be working. This is done by design to improve "
+"offline mode operation and reuse of existing valid cache entries.  To make "
+"this change instant the user may want to manually invalidate existing cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2839 sssd-ldap.5.xml:406 sssd-ldap.5.xml:1834
+#: sssd-ipa.5.xml:255
+msgid "Default: 0 (disabled)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2845
+msgid "cache_credentials (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2848
+msgid ""
+"Determines if user credentials are also cached in the local LDB cache. The "
+"cached credentials refer to passwords, which includes the first (long term) "
+"factor of two-factor authentication, not other authentication "
+"mechanisms. Passkey and Smartcard authentications are expected to work "
+"offline as long as a successful online authentication is recorded in the "
+"cache without additional configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2859
+msgid ""
+"Take a note that while credentials are stored as a salted SHA512 hash, this "
+"still potentially poses some security risk in case an attacker manages to "
+"get access to a cache file (normally requires privileged access) and to "
+"break a password using brute force attack."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2873
+msgid "cache_credentials_minimal_first_factor_length (int)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2876
+msgid ""
+"If 2-Factor-Authentication (2FA) is used and credentials should be saved "
+"this value determines the minimal length the first authentication factor "
+"(long term password) must have to be saved as SHA512 hash into the cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2883
+msgid ""
+"This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
+"the cache which would make them easy targets for brute-force attacks."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2894
+msgid "account_cache_expiration (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2897
+msgid ""
+"Number of days entries are left in cache after last successful login before "
+"being removed during a cleanup of the cache. 0 means keep forever.  The "
+"value of this parameter must be greater than or equal to "
+"offline_credentials_expiration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2904
+msgid "Default: 0 (unlimited)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2909
+msgid "pwd_expiration_warning (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2920
+msgid ""
+"Please note that the backend server has to provide information about the "
+"expiration time of the password.  If this information is missing, sssd "
+"cannot display a warning. Also an auth provider has to be configured for the "
+"backend."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2927
+msgid "Default: 7 (Kerberos), 0 (LDAP)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2933
+msgid "id_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2936
+msgid ""
+"The identification provider used for the domain.  Supported ID providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2940
+msgid "<quote>proxy</quote>: Support a legacy NSS provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2943
+msgid ""
+"<quote>ldap</quote>: LDAP provider. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2951 sssd.conf.5.xml:3070 sssd.conf.5.xml:3129
+#: sssd.conf.5.xml:3192
+msgid ""
+"<quote>ipa</quote>: FreeIPA and Red Hat Identity Management provider. See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"FreeIPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2960 sssd.conf.5.xml:3079 sssd.conf.5.xml:3138
+#: sssd.conf.5.xml:3201
+msgid ""
+"<quote>ad</quote>: Active Directory provider. See <citerefentry> "
+"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring Active Directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2968
+msgid ""
+"<quote>idp</quote>: Provider for OAuth 2.0/OIDC based Identity Providers "
+"(IdP). See <citerefentry> <refentrytitle>sssd-idp</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2979
+msgid "use_fully_qualified_names (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2982
+msgid ""
+"Use the full name and domain (as formatted by the domain's full_name_format) "
+"as the user's login name reported to NSS."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2987
+msgid ""
+"If set to TRUE, all requests to this domain must use fully qualified "
+"names. For example, if used in EXAMPLE domain that contains a \"test\" user, "
+"<command>getent passwd test</command> wouldn't find the user while "
+"<command>getent passwd test@EXAMPLE</command> would."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2995
+msgid ""
+"NOTE: This option has no effect on netgroup lookups due to their tendency to "
+"include nested netgroups without qualified names. For netgroups, all domains "
+"will be searched when an unqualified name is requested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3002
+msgid ""
+"Default: FALSE (TRUE for trusted domain/sub-domains or if "
+"default_domain_suffix is used)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3009
+msgid "ignore_group_members (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3012
+msgid "Do not return group members for group lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3015
+msgid ""
+"If set to TRUE, the group membership attribute is not requested from the "
+"ldap server, and group members are not returned when processing group lookup "
+"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> "
+"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> "
+"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> "
+"</citerefentry>.  As an effect, <quote>getent group $groupname</quote> would "
+"return the requested group as if it was empty."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3033
+msgid ""
+"Enabling this option can also make access provider checks for group "
+"membership significantly faster, especially for groups containing many "
+"members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3039 sssd.conf.5.xml:3767 sssd-ldap.5.xml:401
+#: sssd-ldap.5.xml:454 sssd-ldap.5.xml:529 sssd-ldap.5.xml:576
+#: sssd-ldap.5.xml:599 sssd-ldap.5.xml:638 sssd-ldap.5.xml:657
+#: sssd-ldap.5.xml:681 sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1147
+msgid ""
+"This option can be also set per subdomain or inherited via "
+"<emphasis>subdomain_inherit</emphasis>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3049
+msgid "auth_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3052
+msgid ""
+"The authentication provider used for the domain.  Supported auth providers "
+"are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3056 sssd.conf.5.xml:3122
+msgid ""
+"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3063
+msgid ""
+"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3087
+msgid ""
+"<quote>idp</quote>: Provider for OAuth 2.0/OIDC based authentication. See "
+"<citerefentry> <refentrytitle>sssd-idp</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3095
+msgid "<quote>proxy</quote> for relaying authentication to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3098
+msgid "<quote>none</quote> disables authentication explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3101
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"authentication requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3107
+msgid "access_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3110
+msgid ""
+"The access control provider used for the domain.  There are two built-in "
+"access providers (in addition to any included in installed backends)  "
+"Internal special providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3116
+msgid "<quote>permit</quote> always allow access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3119
+msgid "<quote>deny</quote> always deny access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3146
+msgid ""
+"<quote>simple</quote> access control based on access or deny lists. See "
+"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for more information on configuring "
+"the simple access module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3153
+msgid ""
+"<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for more information on configuring "
+"Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3160
+msgid "<quote>proxy</quote> for relaying access control to another PAM module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3163
+msgid "Default: <quote>permit</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3168
+msgid "chpass_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3171
+msgid ""
+"The provider which should handle change password operations for the domain.  "
+"Supported change password providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3176
+msgid ""
+"<quote>ldap</quote> to change a password stored in a LDAP server. See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3184
+msgid ""
+"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring Kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3209
+msgid "<quote>proxy</quote> for relaying password changes to some other PAM target."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3213
+msgid "<quote>none</quote> disallows password changes explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3216
+msgid ""
+"Default: <quote>auth_provider</quote> is used if it is set and can handle "
+"change password requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3223
+msgid "sudo_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3226
+msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3230
+msgid ""
+"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3238
+msgid ""
+"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
+"settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3242
+msgid ""
+"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
+"settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3246
+msgid "<quote>none</quote> disables SUDO explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3249
+msgid ""
+"Default: The value of <quote>id_provider</quote> is used if it is set and "
+"can handle sudo requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3253
+msgid ""
+"The detailed instructions for configuration of sudo_provider are in the "
+"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>.  There are many configuration "
+"options that can be used to adjust the behavior. Please refer to "
+"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3268
+msgid ""
+"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
+"background unless the sudo provider is explicitly disabled. Set "
+"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related "
+"activity in SSSD if you do not want to use sudo with SSSD at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3278
+msgid "selinux_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3281
+msgid ""
+"The provider which should handle loading of selinux settings. Note that this "
+"provider will be called right after access provider ends.  Supported selinux "
+"providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3287
+msgid ""
+"<quote>ipa</quote> to load selinux settings from an IPA server. See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3295
+msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3298
+msgid ""
+"Default: <quote>id_provider</quote> is used if it is set and can handle "
+"selinux loading requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3304
+msgid "subdomains_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3307
+msgid ""
+"The provider which should handle fetching of subdomains. This value should "
+"be always the same as id_provider.  Supported subdomain providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3313
+msgid ""
+"<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3322
+msgid ""
+"<quote>ad</quote> to load a list of subdomains from an Active Directory "
+"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"the AD provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3331
+msgid "<quote>none</quote> disallows fetching subdomains explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3335
+msgid ""
+"Default: The value of <quote>id_provider</quote> is used if it is set and "
+"can handle subdomain requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3341
+msgid "session_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3344
+msgid ""
+"The provider which configures and manages user session related tasks. The "
+"only user session task currently provided is the integration with Fleet "
+"Commander, which works only with IPA.  Supported session providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3351
+msgid "<quote>ipa</quote> to allow performing user session related tasks."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3355
+msgid "<quote>none</quote> does not perform any kind of user session related tasks."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3359
+msgid "Default: <quote>none</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3365
+msgid "autofs_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3368
+msgid "The autofs provider used for the domain.  Supported autofs providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3372
+msgid ""
+"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3379
+msgid ""
+"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
+"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3387
+msgid ""
+"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
+"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information on configuring the AD provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3396
+msgid "<quote>none</quote> disables autofs explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3399
+msgid ""
+"Default: The value of <quote>id_provider</quote> is used if it is set and "
+"can handle autofs requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3406
+msgid "hostid_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3409
+msgid ""
+"The provider used for retrieving host identity information.  Supported "
+"hostid providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3413
+msgid ""
+"<quote>ipa</quote> to load host identity stored in an IPA server. See "
+"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"IPA."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3421
+msgid "<quote>none</quote> disables hostid explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3424
+msgid ""
+"Default: The value of <quote>id_provider</quote> is used if it is set and "
+"can handle hostid requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3431
+msgid "resolver_provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3434
+msgid ""
+"The provider which should handle hosts and networks lookups. Supported "
+"resolver providers are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3438
+msgid ""
+"<quote>proxy</quote> to forward lookups to another NSS library. See "
+"<quote>proxy_resolver_lib_name</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3442
+msgid ""
+"<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3449
+msgid ""
+"<quote>ad</quote> to fetch hosts and networks stored in AD. See "
+"<citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
+"the AD provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3457
+msgid "<quote>none</quote> disallows fetching hosts and networks explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3460
+msgid ""
+"Default: The value of <quote>id_provider</quote> is used if it is set and "
+"can handle resolver requests."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3470
+msgid ""
+"Regular expression for this domain that describes how to parse the string "
+"containing user name and domain into these components.  The \"domain\" can "
+"match either the SSSD configuration domain name, or, in the case of IPA "
+"trust subdomains and Active Directory domains, the flat (NetBIOS) name of "
+"the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3479
+msgid ""
+"Default: "
+"<quote>^((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]*)|(?P&lt;name&gt;[^@]+))$</quote> "
+"which allows two different styles for user names:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:3484 sssd.conf.5.xml:3498
+msgid "username"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:3487 sssd.conf.5.xml:3501
+msgid "username@domain.name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3492
+msgid ""
+"Default for the AD and IPA provider: "
+"<quote>^(((?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+))|((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+))|((?P&lt;name&gt;[^@\\\\]+)))$</quote> "
+"which allows three different styles for user names:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:3504
+msgid "domain\\username"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3507
+msgid ""
+"While the first two correspond to the general default the third one is "
+"introduced to allow easy integration of users from Windows domains."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3512
+msgid ""
+"The default re_expression uses the <quote>@</quote> character as a separator "
+"between the name and the domain. As a result of this setting the default "
+"does not accept the <quote>@</quote> character in short names (as it is "
+"allowed in Windows group names). If a user wishes to use short names with "
+"<quote>@</quote> they must create their own re_expression."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3564
+msgid "Default: <quote>%1$s@%2$s</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3570
+msgid "lookup_family_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3573
+msgid ""
+"Provides the ability to select preferred address family to use when "
+"performing DNS lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3577
+msgid "Supported values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3580
+msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3583
+msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3586
+msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3589
+msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3592
+msgid "Default: ipv4_first"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3598
+msgid "dns_resolver_server_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3601
+msgid ""
+"Defines the amount of time (in milliseconds)  SSSD would try to talk to DNS "
+"server before trying next DNS server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3606
+msgid "The AD provider will use this option for the CLDAP ping timeouts as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3610 sssd.conf.5.xml:3630 sssd.conf.5.xml:3651
+msgid ""
+"Please see the section <quote>FAILOVER</quote> for more information about "
+"the service resolution."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3615 sssd-ldap.5.xml:700 include/failover.xml:84
+msgid "Default: 1000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3621
+msgid "dns_resolver_op_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3624
+msgid ""
+"Defines the amount of time (in seconds) to wait to resolve single DNS query "
+"(e.g. resolution of a hostname or an SRV record)  before trying the next "
+"hostname or DNS discovery."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3635 include/failover.xml:100
+msgid "Default: 3"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3641
+msgid "dns_resolver_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3644
+msgid ""
+"Defines the amount of time (in seconds) to wait for a reply from the "
+"internal fail over service before assuming that the service is "
+"unreachable. If this timeout is reached, the domain will continue to operate "
+"in offline mode."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3662
+msgid "dns_resolver_use_search_list (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3665
+msgid ""
+"Normally, the DNS resolver searches the domain list defined in the "
+"\"search\" directive from the resolv.conf file. This can lead to delays in "
+"environments with improperly configured DNS."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3671
+msgid ""
+"If fully qualified domain names (or _srv_) are used in the SSSD "
+"configuration, setting this option to FALSE can prevent unnecessary DNS "
+"lookups in such environments."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3677
+msgid "Default: TRUE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3683
+msgid "dns_discovery_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3686
+msgid ""
+"If service discovery is used in the back end, specifies the domain part of "
+"the service discovery DNS query."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3690
+msgid "Default: Use the domain part of machine's hostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3696
+msgid "failover_primary_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3699
+msgid ""
+"When no primary server is available, SSSD fails over to a backup "
+"server. This option defines the number of seconds SSSD waits before "
+"attempting to reconnect to the primary server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3706
+msgid "Note: The minimum value is 31."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3709
+msgid "Default: 31"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3715
+msgid "override_gid (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3718
+msgid "Override the primary GID value with the one specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3724
+msgid "case_sensitive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3731
+msgid "True"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3734
+msgid "Case sensitive. This value is invalid for AD provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3740
+msgid "False"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3742
+msgid "Case insensitive."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3746
+msgid "Preserving"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3749
+msgid ""
+"Same as False (case insensitive), but does not lowercase names in the result "
+"of NSS operations. Note that name aliases (and in case of services also "
+"protocol names) are still lowercased in the output."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3757
+msgid ""
+"If you want to set this value for trusted domain with IPA provider, you need "
+"to set it on both the client and SSSD on the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3727
+msgid ""
+"Treat user and group names as case sensitive.  Possible option values are: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3772
+msgid "Default: True (False for AD provider)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3778
+msgid "subdomain_inherit (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3781
+msgid ""
+"Specifies a list of configuration parameters that should be inherited by a "
+"subdomain. Please note that only selected parameters can be inherited.  "
+"Currently the following options can be inherited:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3787
+msgid "ldap_search_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3790
+msgid "ldap_network_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3793
+msgid "ldap_opt_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3796
+msgid "ldap_offline_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3799
+msgid "ldap_purge_cache_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3802
+msgid "ldap_purge_cache_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3805
+msgid ""
+"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
+"is not set explicitly)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3809
+msgid "ldap_krb5_ticket_lifetime"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3812
+msgid "ldap_connection_expire_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3815
+msgid "ldap_connection_expire_offset"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3818
+msgid "ldap_connection_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3821 sssd-ldap.5.xml:446
+msgid "ldap_use_tokengroups"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3824
+msgid "ldap_user_principal"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3827
+msgid "ignore_group_members"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3830
+msgid "auto_private_groups"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3833
+msgid "case_sensitive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:3838
+#, no-wrap
+msgid ""
+"subdomain_inherit = ldap_purge_cache_timeout\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3845
+msgid "Note: This option only works with the IPA and AD provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3852
+msgid "subdomain_homedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3863
+msgid "%F"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3864
+msgid "flat (NetBIOS) name of a subdomain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3855
+msgid ""
+"Use this homedir as default value for all subdomains within this domain in "
+"IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
+"possible values. In addition to those, the expansion below can only be used "
+"with <emphasis>subdomain_homedir</emphasis>.  <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3869
+msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3873
+msgid "Default: <filename>/home/%d/%u</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3878
+msgid "realmd_tags (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3881
+msgid "Various tags stored by the realmd configuration service for this domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3887
+msgid "cached_auth_timeout (int)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3890
+msgid ""
+"Specifies time in seconds since last successful online authentication for "
+"which user will be authenticated using cached credentials while SSSD is in "
+"the online mode. If the credentials are incorrect, SSSD falls back to online "
+"authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3898
+msgid ""
+"This option's value is inherited by all trusted domains. At the moment it is "
+"not possible to set a different value per trusted domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3903
+msgid "Special value 0 implies that this feature is disabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3907
+msgid ""
+"Please note that if <quote>cached_auth_timeout</quote> is longer than "
+"<quote>pam_id_timeout</quote> then the back end could be called to handle "
+"<quote>initgroups.</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:3918
+msgid "local_auth_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3921
+msgid ""
+"Local authentication methods policy. Some backends (i.e. LDAP, proxy "
+"provider) only support a password based authentication, while others can "
+"handle PKINIT based Smartcard authentication (AD, IPA), two-factor "
+"authentication (IPA), or other methods against a central instance. By "
+"default in such cases authentication is only performed with the methods "
+"supported by the backend. With this option additional methods can be enabled "
+"which are evaluated and checked locally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3933
+msgid ""
+"There are three possible values for this option: match, only, "
+"enable. <quote>match</quote> is used to match offline and online states for "
+"Kerberos methods. <quote>only</quote> ignores the online methods and only "
+"offer the local ones. enable allows explicitly defining the methods for "
+"local authentication. As an example, <quote>enable:passkey</quote>, only "
+"enables passkey for local authentication. Multiple enable values should be "
+"comma-separated, such as <quote>enable:passkey, enable:smartcard</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3946
+msgid ""
+"The following table shows which authentication methods, if configured "
+"properly, are currently enabled or disabled for each backend, with the "
+"default local_auth_policy: <quote>match</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd.conf.5.xml:3959
+msgid "local_auth_policy = match (default)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd.conf.5.xml:3960
+msgid "Passkey"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd.conf.5.xml:3961
+msgid "Smartcard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:3964 sssd-ldap.5.xml:228
+msgid "IPA"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:3967 sssd-ldap.5.xml:233
+msgid "AD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
+#: sssd.conf.5.xml:3967 sssd.conf.5.xml:3970 sssd.conf.5.xml:3971
+msgid "disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
+#: sssd.conf.5.xml:3970
+msgid "LDAP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3975
+msgid ""
+"Please note that if local Smartcard authentication is enabled and a "
+"Smartcard is present, Smartcard authentication will be preferred over the "
+"authentication methods supported by the backend.  I.e. there will be a PIN "
+"prompt instead of e.g. a password prompt."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:3987
+#, no-wrap
+msgid ""
+"[domain/shadowutils]\n"
+"id_provider = proxy\n"
+"proxy_lib_name = files\n"
+"auth_provider = none\n"
+"local_auth_policy = only\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3983
+msgid ""
+"The following configuration example allows local users to authenticate "
+"locally using any enabled method (i.e. smartcard, passkey).  <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:3995
+msgid "Default: match"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4000
+msgid "auto_private_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4006
+msgid "true"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4009
+msgid ""
+"Create user's private group unconditionally from user's UID number.  The GID "
+"number is ignored in this case."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4013
+msgid ""
+"NOTE: Because the GID number and the user private group are inferred from "
+"the UID number, it is not supported to have multiple entries with the same "
+"UID or GID number with this option. In other words, enabling this option "
+"enforces uniqueness across the ID space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4022
+msgid "false"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4025
+msgid ""
+"Always use the user's primary GID number. The GID number must refer to a "
+"group object in the LDAP database."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4031
+msgid "hybrid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4034
+msgid ""
+"A primary group is autogenerated for user entries whose UID and GID numbers "
+"have the same value and at the same time the GID number does not correspond "
+"to a real group object in LDAP.  If the values are the same, but the primary "
+"GID in the user entry is also used by a group object, the primary GID of the "
+"user resolves to that group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4047
+msgid ""
+"If the UID and GID of a user are different, then the GID must correspond to "
+"a group entry, otherwise the GID is simply not resolvable."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4054
+msgid ""
+"This feature is useful for environments that wish to stop maintaining a "
+"separate group objects for the user private groups, but also wish to retain "
+"the existing user private groups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4003
+msgid ""
+"This option takes any of three available values: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4066
+msgid ""
+"For the LDAP based id providers (LDAP, IPA and AD) the default for the "
+"configured domain is typically False because the sources have the concept of "
+"a primary group.  <phrase condition=\"with_idp_provider\">The IdP id "
+"provider is using True because IdPs typically do not have primary "
+"groups.</phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4075
+msgid ""
+"For subdomains, the default value is False for subdomains that use assigned "
+"POSIX IDs and True for subdomains that use automatic ID-mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:4083
+#, no-wrap
+msgid ""
+"[domain/forest.domain/sub.domain]\n"
+"auto_private_groups = false\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd.conf.5.xml:4089
+#, no-wrap
+msgid ""
+"[domain/forest.domain]\n"
+"subdomain_inherit = auto_private_groups\n"
+"auto_private_groups = false\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4080
+msgid ""
+"The value of auto_private_groups can either be set per subdomains in a "
+"subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or "
+"globally for all subdomains in the main domain section using the "
+"subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:2503
+msgid ""
+"These configuration options can be present in a domain configuration "
+"section, that is, in a section called "
+"<quote>[domain/<replaceable>NAME</replaceable>]</quote> <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4104
+msgid "proxy_pam_target (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4107
+msgid "The proxy target PAM proxies to."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4110
+msgid ""
+"Default: not set by default, you have to take an existing pam configuration "
+"or create a new one and add the service name here. As an alternative you can "
+"enable local authentication with the local_auth_policy option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4120
+msgid "proxy_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4123
+msgid ""
+"The name of the NSS library to use in proxy domains. The NSS functions "
+"searched for in the library are in the form of _nss_$(libName)_$(function), "
+"for example _nss_files_getpwent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4133
+msgid "proxy_resolver_lib_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4136
+msgid ""
+"The name of the NSS library to use for hosts and networks lookups in proxy "
+"domains. The NSS functions searched for in the library are in the form of "
+"_nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4147
+msgid "proxy_fast_alias (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4150
+msgid ""
+"When a user or group is looked up by name in the proxy provider, a second "
+"lookup by ID is performed to \"canonicalize\" the name in case the requested "
+"name was an alias. Setting this option to true would cause the SSSD to "
+"perform the ID lookup from cache for performance reasons."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4164
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4167
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4100
+msgid ""
+"Options valid for proxy domains.  <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd.conf.5.xml:4183
+msgid "Application domains"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:4185
+msgid ""
+"SSSD, with its D-Bus interface (see <citerefentry> "
+"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>) is appealing to applications as a gateway to an LDAP "
+"directory where users and groups are stored. However, contrary to the "
+"traditional SSSD deployment where all users and groups either have POSIX "
+"attributes or those attributes can be inferred from the Windows SIDs, in "
+"many cases the users and groups in the application support scenario have no "
+"POSIX attributes.  Instead of setting a "
+"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the "
+"administrator can set up an "
+"<quote>[application/<replaceable>NAME</replaceable>]</quote> section that "
+"internally represents a domain with type <quote>application</quote> "
+"optionally inherits settings from a tradition SSSD domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:4205
+msgid ""
+"Please note that the application domain must still be explicitly enabled in "
+"the <quote>domains</quote> parameter so that the lookup order between the "
+"application domain and its POSIX sibling domain is set correctly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sssd.conf.5.xml:4211
+msgid "Application domain parameters"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4213
+msgid "inherit_from (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4216
+msgid ""
+"The SSSD POSIX-type domain the application domain inherits all settings "
+"from. The application domain can moreover add its own settings to the "
+"application settings that augment or override the <quote>sibling</quote> "
+"domain settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd.conf.5.xml:4230
+msgid ""
+"The following example illustrates the use of an application domain. In this "
+"setup, the POSIX domain is connected to an LDAP server and is used by the OS "
+"through the NSS responder. In addition, the application domain also requests "
+"the telephoneNumber attribute, stores it as the phone attribute in the cache "
+"and makes the phone attribute reachable through the D-Bus interface."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
+#: sssd.conf.5.xml:4238
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = appdom, posixdom\n"
+"\n"
+"[ifp]\n"
+"user_attributes = +phone\n"
+"\n"
+"[domain/posixdom]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"[application/appdom]\n"
+"inherit_from = posixdom\n"
+"ldap_user_extra_attrs = phone:telephoneNumber\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:4258
+msgid "TRUSTED DOMAIN SECTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4260
+msgid ""
+"Some options used in the domain section can also be used in the trusted "
+"domain section, that is, in a section called "
+"<quote>[domain/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</replaceable>]</quote>.  "
+"Where DOMAIN_NAME is the actual joined-to base domain. Please refer to "
+"examples below for explanation.  Currently supported options in the trusted "
+"domain section are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4267
+msgid "ldap_search_base,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4268
+msgid "ldap_user_search_base,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4269
+msgid "ldap_group_search_base,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4270
+msgid "ldap_netgroup_search_base,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4271
+msgid "ldap_service_search_base,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4272
+msgid "ldap_sasl_mech,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4273
+msgid "ad_server,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4274
+msgid "ad_backup_server,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4275
+msgid "ad_site,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:4276 sssd-ipa.5.xml:934
+msgid "use_fully_qualified_names"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4280
+msgid ""
+"For more details about these options see their individual description in the "
+"manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:4286
+msgid "CERTIFICATE MAPPING SECTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4288
+msgid ""
+"To allow authentication with Smartcards and certificates SSSD must be able "
+"to map certificates to users. This can be done by adding the full "
+"certificate to the LDAP object of the user or to a local override. While "
+"using the full certificate is required to use the Smartcard authentication "
+"feature of SSH (see <citerefentry> "
+"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> for details) it might be cumbersome "
+"or not even possible to do this for the general case where local services "
+"use PAM for authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4302
+msgid ""
+"To make the mapping more flexible mapping and matching rules were added to "
+"SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for details)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4311
+msgid ""
+"A mapping and matching rule can be added to the SSSD configuration in a "
+"section on its own with a name like "
+"<quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.  "
+"In this section the following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4318
+msgid "matchrule (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4321
+msgid ""
+"Only certificates from the Smartcard which matches this rule will be "
+"processed, all others are ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4325
+msgid ""
+"Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only certificates which have the "
+"Extended Key Usage <quote>clientAuth</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4332
+msgid "maprule (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4335
+msgid "Defines how the user is found for a given certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:4341
+msgid ""
+"LDAP:(userCertificate;binary={cert!bin})  for LDAP based providers like "
+"<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:4347
+msgid ""
+"If maprule is not set and provider is <quote>proxy</quote>, the RULE_NAME "
+"name is assumed to be the name of the matching user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4357
+msgid "domains (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4360
+msgid ""
+"Comma separated list of domain names the rule should be applied. By default "
+"a rule is only valid in the domain configured in sssd.conf. If the provider "
+"supports subdomains this option can be used to add the rule to subdomains as "
+"well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4367
+msgid "Default: the configured domain in sssd.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4372
+msgid "priority (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4375
+msgid ""
+"Unsigned integer value defining the priority of the rule. The higher the "
+"number the lower the priority.  <quote>0</quote> stands for the highest "
+"priority while <quote>4294967295</quote> is the lowest."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4381
+msgid "Default: the lowest priority"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:4389
+msgid "PROMPTING CONFIGURATION SECTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4391
+msgid ""
+"If a special file "
+"(<filename>/var/lib/sss/pubconf/pam_preauth_available</filename>)  exists "
+"SSSD's PAM module pam_sss will ask SSSD to figure out which authentication "
+"methods are available for the user trying to log in.  Based on the results "
+"pam_sss will prompt the user for appropriate credentials."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4399
+msgid ""
+"With the growing number of authentication methods and the possibility that "
+"there are multiple ones for a single user the heuristic used by pam_sss to "
+"select the prompting might not be suitable for all use cases. The following "
+"options should provide a better flexibility here."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4411
+msgid "[prompting/password]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4414
+msgid "password_prompt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4415
+msgid "to change the string of the password prompt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4413
+msgid ""
+"to configure password prompting, allowed options are: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4423
+msgid "[prompting/2fa]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4427
+msgid "first_prompt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4428
+msgid "to change the string of the prompt for the first factor"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4431
+msgid "second_prompt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4432
+msgid "to change the string of the prompt for the second factor"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4435
+msgid "single_prompt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4436
+msgid ""
+"boolean value, if True there will be only a single prompt using the value of "
+"first_prompt where it is expected that both factors are entered as a single "
+"string. Please note that both factors have to be entered here, even if the "
+"second factor is optional."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4425
+msgid ""
+"to configure two-factor authentication prompting, allowed options are: "
+"<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is "
+"optional and it should be possible to log in either only with the password "
+"or with both factors two-step prompting has to be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4449
+msgid ""
+"Some clients, such as SSH with 'PasswordAuthentication yes', generate their "
+"own prompts and do not use prompts provided by SSSD or other PAM "
+"modules. Additionally, for SSH with PasswordAuthentication, if two-factor "
+"authentication is available, SSSD expects that the credentials entered by "
+"the user at the SSH password prompt will always be the two factors in a "
+"single string, even if two-factor authentication is optional."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4464
+msgid "[prompting/passkey]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd.conf.5.xml:4470 sssd-ad.5.xml:1022
+msgid "interactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4472
+msgid ""
+"boolean value, if True prompt a message and wait before testing the presence "
+"of a passkey device.  Recommended if your device doesn’t have a tactile "
+"trigger."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4480
+msgid "interactive_prompt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4482
+msgid "to change the message of the interactive prompt."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4487
+msgid "touch"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4489
+msgid ""
+"boolean value, if True prompt a message to remind the user to touch the "
+"device."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:4495
+msgid "touch_prompt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4497
+msgid "to change the message of the touch prompt."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:4466
+msgid ""
+"to configure passkey authentication prompting, allowed options are: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4406
+msgid ""
+"Each supported authentication method has its own configuration subsection "
+"under <quote>[prompting/...]</quote>. Currently there are: <placeholder "
+"type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" "
+"id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4508
+msgid ""
+"It is possible to add a subsection for specific PAM services, "
+"e.g. <quote>[prompting/password/sshd]</quote> to individual change the "
+"prompting for this service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.conf.5.xml:4515 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43
+msgid "EXAMPLES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:4521
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"domains = LDAP\n"
+"services = nss, pam\n"
+"\n"
+"[nss]\n"
+"filter_groups = root\n"
+"filter_users = root\n"
+"\n"
+"[pam]\n"
+"\n"
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"ldap_uri = ldap://ldap.example.com\n"
+"ldap_search_base = dc=example,dc=com\n"
+"\n"
+"auth_provider = krb5\n"
+"krb5_server = kerberos.example.com\n"
+"krb5_realm = EXAMPLE.COM\n"
+"cache_credentials = true\n"
+"\n"
+"min_id = 10000\n"
+"max_id = 20000\n"
+"enumerate = False\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4517
+msgid ""
+"1. The following example shows a typical SSSD config. It does not describe "
+"configuration of the domains themselves - refer to documentation on "
+"configuring domains for more details.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:4553
+#, no-wrap
+msgid ""
+"[domain/ipa.com/child.ad.com]\n"
+"use_fully_qualified_names = false\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4547
+msgid ""
+"2. The following example shows configuration of IPA AD trust where the AD "
+"forest consists of two domains in a parent-child structure.  Suppose IPA "
+"domain (ipa.com) has trust with AD domain(ad.com).  ad.com has child domain "
+"(child.ad.com). To enable shortnames in the child domain the following "
+"configuration should be used.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd.conf.5.xml:4564
+#, no-wrap
+msgid ""
+"[certmap/my.domain/rule_name]\n"
+"matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$\n"
+"maprule = (userCertificate;binary={cert!bin})\n"
+"domains = my.domain, your.domain\n"
+"priority = 10\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.conf.5.xml:4558
+msgid ""
+"3. The following example shows the configuration of a certificate mapping "
+"rule. It is valid for the configured domain <quote>my.domain</quote> and "
+"additionally for the subdomains <quote>your.domain</quote> and uses the full "
+"certificate in the search filter.  <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
+msgid "sssd-ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-ldap.5.xml:17
+msgid "SSSD LDAP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:21 pam_sss.8.xml:66 pam_sss_gss.8.xml:30
+#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21
+#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd-idp.5.xml:21
+#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_override.8.xml:30
+#: sssd-krb5.5.xml:21 sss_cache.8.xml:29 sss_debuglevel.8.xml:30
+#: sss_seed.8.xml:31 sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30
+#: sss_ssh_knownhosts.1.xml:30 idmap_sss.8.xml:20 sssctl.8.xml:30
+#: sssd-session-recording.5.xml:21 sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21
+#: sssd-ldap-attributes.5.xml:21 sssd_krb5_localauth_plugin.8.xml:20
+msgid "DESCRIPTION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:23
+msgid ""
+"This manual page describes the configuration of LDAP domains for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  Refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax "
+"information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:35
+msgid "You can configure SSSD to use more than one LDAP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:38
+msgid ""
+"LDAP back end supports id, auth, access and chpass providers. If you want to "
+"authenticate against an LDAP server either TLS/SSL or LDAPS is "
+"required. <command>sssd</command> <emphasis>does not</emphasis> support "
+"authentication over an unencrypted channel.  Even if the LDAP server is used "
+"only as an identity provider, an encrypted channel is strongly "
+"recommended. Please refer to the <quote>ldap_access_filter</quote> config "
+"option for more information about using LDAP as an access provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:50 sssd-simple.5.xml:82 sssd-ipa.5.xml:82 sssd-ad.5.xml:130
+#: sssd-idp.5.xml:54 sssd-krb5.5.xml:63 sssd-ifp.5.xml:60
+#: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202
+msgid "CONFIGURATION OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:67
+msgid "ldap_uri, ldap_backup_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference. Refer to the "
+"<quote>FAILOVER</quote> section for more information on failover and server "
+"redundancy.  If neither option is specified, service discovery is "
+"enabled. For more information, refer to the <quote>SERVICE DISCOVERY</quote> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:77
+msgid "The format of the URI must match the format defined in RFC 2732:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:80
+msgid "ldap[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:83
+msgid "For explicit IPv6 addresses, &lt;host&gt; must be enclosed in brackets []"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:86
+msgid "example: ldap://[fc00::126:25]:389"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:92
+msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:95
+msgid ""
+"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
+"should connect in the order of preference to change the password of a "
+"user. Refer to the <quote>FAILOVER</quote> section for more information on "
+"failover and server redundancy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:102
+msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:106
+msgid "Default: empty, i.e. ldap_uri is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:112
+msgid "ldap_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:115
+msgid "The default base DN to use for performing LDAP user operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:119
+msgid ""
+"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the "
+"syntax:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:123
+msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:126
+msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: sssd-ldap.5.xml:129 include/ldap_search_bases.xml:18
+msgid ""
+"The filter must be a valid LDAP search filter as specified by "
+"http://www.ietf.org/rfc/rfc2254.txt"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:133 sssd-ad.5.xml:312 sss_override.8.xml:143
+#: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453
+msgid "Examples:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:136
+msgid ""
+"ldap_search_base = dc=example,dc=com (which is equivalent to)  "
+"ldap_search_base = dc=example,dc=com?subtree?"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:141
+msgid ""
+"ldap_search_base = "
+"cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:144
+msgid ""
+"Note: It is unsupported to have multiple search bases which reference "
+"identically-named objects (for example, groups with the same name in two "
+"different search bases). This will lead to unpredictable behavior on client "
+"machines."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:151
+msgid ""
+"Default: If not set, the value of the defaultNamingContext or namingContexts "
+"attribute from the RootDSE of the LDAP server is used. If "
+"defaultNamingContext does not exist or has an empty value namingContexts is "
+"used.  The namingContexts attribute must have a single value with the DN of "
+"the search base of the LDAP server to make this work. Multiple values are "
+"are not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:165
+msgid "ldap_read_rootdse (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:168
+msgid ""
+"SSSD reads RootDSE to get information about LDAP and its capabilities. By "
+"default, this is done anonymously. However, this may not be permitted by the "
+"LDAP server. In such cases we can use this option to influence SSSD "
+"behavior."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:175
+msgid "Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:179
+msgid "anonymous"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:184
+msgid "authenticated"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:193
+msgid ""
+"By default, using the \"anonymous\" option, SSSD tries to read RootDSE "
+"anonymously. If this fails SSSD retries the attempt with authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:198
+msgid "Default: anonymous"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:204
+msgid "ldap_schema (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:207
+msgid ""
+"Specifies the Schema Type in use on the target LDAP server.  Depending on "
+"the selected schema, the default attribute names retrieved from the servers "
+"may vary.  The way that some attributes are handled may also differ."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:214
+msgid "Four schema types are currently supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:218
+msgid "rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:223
+msgid "rfc2307bis"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:239
+msgid ""
+"The main difference between these schema types is how group memberships are "
+"recorded in the server.  With rfc2307, group members are listed by name in "
+"the <emphasis>memberUid</emphasis> attribute.  With rfc2307bis and IPA, "
+"group members are listed by DN and stored in the <emphasis>member</emphasis> "
+"attribute.  The AD schema type sets the attributes to correspond with Active "
+"Directory 2008r2 values."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:249
+msgid "Default: rfc2307"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:255
+msgid "ldap_pwmodify_mode (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:258
+msgid "Specify the operation that is used to modify user password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:262
+msgid "Two modes are currently supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:266
+msgid "exop - Password Modify Extended Operation (RFC 3062)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:272
+msgid "ldap_modify - Direct modification of userPassword (not recommended)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:278
+msgid ""
+"exop_force - Try Password Modify Extended Operation (RFC 3062) even if there "
+"are no grace logins left.  Depending on the type and configuration of the "
+"LDAP server the password change might fail because an authenticated bind is "
+"not possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:290
+msgid ""
+"Note: First, a new connection is established to verify current password by "
+"binding as the user that requested password change. If successful, this "
+"connection is used to change the password therefore the user must have write "
+"access to userPassword attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:298
+msgid "Default: exop"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:304
+msgid "ldap_default_bind_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:307
+msgid "The default bind DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:314
+msgid "ldap_default_authtok_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:317
+msgid "The type of the authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:321
+msgid "The two mechanisms currently supported are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:324
+msgid "password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:327
+msgid "obfuscated_password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:330
+msgid "Default: password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:333
+msgid ""
+"See the <citerefentry> <refentrytitle>sss_obfuscate</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> manual page for more information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:344
+msgid "ldap_default_authtok (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:347
+msgid "The authentication token of the default bind DN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:353
+msgid "ldap_force_upper_case_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:356
+msgid ""
+"Some directory servers, for example Active Directory, might deliver the "
+"realm part of the UPN in lower case, which might cause the authentication to "
+"fail. Set this option to a non-zero value if you want to use an upper-case "
+"realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:369
+msgid "ldap_enumeration_refresh_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:372
+msgid ""
+"Specifies how many seconds SSSD has to wait before refreshing its cache of "
+"enumerated records."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:383
+msgid "ldap_purge_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:386
+msgid ""
+"Determine how often to check the cache for inactive entries (such as groups "
+"with no members and users who have never logged in) and remove them to save "
+"space."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:392
+msgid ""
+"Setting this option to zero will disable the cache cleanup operation. Please "
+"note that if enumeration is enabled, the cleanup task is required in order "
+"to detect entries removed from the server and can't be disabled. By default, "
+"the cleanup task will run every 3 hours with enumeration enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:412
+msgid "ldap_group_nesting_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:415
+msgid ""
+"If ldap_schema is set to a schema format that supports nested groups "
+"(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD "
+"will follow. This option has no effect on the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:422
+msgid ""
+"Note: This option specifies the guaranteed level of nested groups to be "
+"processed for any lookup. However, nested groups beyond this limit "
+"<emphasis>may be</emphasis> returned if previous lookups already resolved "
+"the deeper nesting levels.  Also, subsequent lookups for other groups may "
+"enlarge the result set for original lookup if re-queried."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:431
+msgid ""
+"If ldap_group_nesting_level is set to 0 then no nested groups are processed "
+"at all. However, when connected to Active-Directory Server 2008 and later "
+"using <quote>id_provider=ad</quote> it is furthermore required to disable "
+"usage of Token-Groups by setting ldap_use_tokengroups to false in order to "
+"restrict group nesting."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:440
+msgid "Default: 2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:449
+msgid ""
+"This options enables or disables use of Token-Groups attribute when "
+"performing initgroup for users from Active Directory Server 2008 and later."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:459
+msgid "Default: True for AD and IPA otherwise False."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:465
+msgid "ldap_host_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:468
+msgid "Optional. Use the given string as search base for host objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:472 sssd-ipa.5.xml:506 sssd-ipa.5.xml:525 sssd-ipa.5.xml:544
+#: sssd-ipa.5.xml:563
+msgid ""
+"See <quote>ldap_search_base</quote> for information about configuring "
+"multiple search bases."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: sssd-ldap.5.xml:477 sssd-ipa.5.xml:511 include/ldap_search_bases.xml:27
+msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:484
+msgid "ldap_subid_ranges_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:487
+msgid ""
+"Optional. Use the given string as search base for subordinate ranges related "
+"objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:491
+msgid ""
+"Default: the value of <emphasis>cn=subids,%basedn</emphasis> for IPA "
+"otherwise <emphasis>ldap_search_base</emphasis>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:499
+msgid "ldap_service_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:504
+msgid "ldap_iphost_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:509
+msgid "ldap_ipnetwork_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:514
+msgid "ldap_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:517
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches are allowed to run "
+"before they are cancelled and cached results are returned (and offline mode "
+"is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:523
+msgid ""
+"Note: this option is subject to change in future versions of the SSSD. It "
+"will likely be replaced at some point by a series of timeouts for specific "
+"lookup types."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:540
+msgid "ldap_enumeration_search_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:543
+msgid ""
+"Specifies the timeout (in seconds) that ldap searches for user and group "
+"enumerations are allowed to run before they are cancelled and cached results "
+"are returned (and offline mode is entered)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:556
+msgid "ldap_network_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:559
+msgid ""
+"Specifies the timeout (in seconds) after which the <citerefentry> "
+"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> "
+"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> "
+"<manvolnum>2</manvolnum> </citerefentry> following a <citerefentry> "
+"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> "
+"</citerefentry> returns in case of no activity."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:587
+msgid "ldap_opt_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:590
+msgid ""
+"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
+"will abort if no response is received. Also controls the timeout when "
+"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind "
+"operation, password change extended operation and the StartTLS operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:610
+msgid "ldap_connection_expire_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:613
+msgid ""
+"Specifies a timeout (in seconds) that a connection to an LDAP server will be "
+"maintained. After this time, the connection will be re-established. If used "
+"in parallel with SASL/GSSAPI, the sooner of the two values (this value "
+"vs. the TGT lifetime)  will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:621
+msgid ""
+"If the connection is idle (not actively running an operation) within "
+"<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be "
+"closed early to ensure that a new query cannot require the connection to "
+"remain open past its expiration.  This implies that connections will always "
+"be closed immediately and will never be reused if "
+"<emphasis>ldap_connection_expire_timeout &lt;= ldap_opt_timout</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:633
+msgid ""
+"This timeout can be extended of a random value specified by "
+"<emphasis>ldap_connection_expire_offset</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:643 sssd-ldap.5.xml:686 sssd-ldap.5.xml:1809
+msgid "Default: 900 (15 minutes)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:649
+msgid "ldap_connection_expire_offset (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:652
+msgid ""
+"Random offset between 0 and configured value is added to "
+"<emphasis>ldap_connection_expire_timeout</emphasis>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:668
+msgid "ldap_connection_idle_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:671
+msgid ""
+"Specifies a timeout (in seconds) that an idle connection to an LDAP server "
+"will be maintained.  If the connection is idle for more than this time then "
+"the connection will be closed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:677
+msgid "You can disable this timeout by setting the value to 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:692
+msgid "ldap_page_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:695
+msgid ""
+"Specify the number of records to retrieve from LDAP in a single "
+"request. Some LDAP servers enforce a maximum limit per-request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:706
+msgid "ldap_disable_paging (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:709
+msgid ""
+"Disable the LDAP paging control. This option should be used if the LDAP "
+"server reports that it supports the LDAP paging control in its RootDSE but "
+"it is not enabled or does not behave properly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:715
+msgid ""
+"Example: OpenLDAP servers with the paging control module installed on the "
+"server but not enabled will report it in the RootDSE but be unable to use "
+"it."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:721
+msgid ""
+"Example: 389 DS has a bug where it can only support a one paging control at "
+"a time on a single connection. On busy clients, this can result in some "
+"requests being denied."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:733
+msgid "ldap_disable_range_retrieval (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:736
+msgid "Disable Active Directory range retrieval."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:739
+msgid ""
+"Active Directory limits the number of members that can be retrieved in a "
+"single lookup using the MaxValRange policy, which defaults to 1500 "
+"members. If a group contains more than 1500 members, the reply includes an "
+"AD-specific range extension. When enabled, this option prevents SSSD from "
+"parsing the range extension. As a result large groups will appear as they "
+"have no members.  This option does not enable SSSD to read subsequent "
+"ranges. To retrieve all members of a group, you must increase the "
+"MaxValRange setting in Active Directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:758
+msgid "ldap_sasl_minssf (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:761
+msgid ""
+"When communicating with an LDAP server using SASL, specify the minimum "
+"security level necessary to establish the connection. The values of this "
+"option are defined by OpenLDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:767 sssd-ldap.5.xml:783
+msgid "Default: Use the system default (usually specified by ldap.conf)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:774
+msgid "ldap_sasl_maxssf (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:777
+msgid ""
+"When communicating with an LDAP server using SASL, specify the maximal "
+"security level necessary to establish the connection. The values of this "
+"option are defined by OpenLDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:790
+msgid "ldap_deref_threshold (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:793
+msgid ""
+"Specify the number of group members that must be missing from the internal "
+"cache in order to trigger a dereference lookup. If less members are missing, "
+"they are looked up individually."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:799
+msgid ""
+"You can turn off dereference lookups completely by setting the value to "
+"0. Please note that there are some codepaths in SSSD, like the IPA HBAC "
+"provider, that are only implemented using the dereference call, so even with "
+"dereference explicitly disabled, those parts will still use dereference if "
+"the server supports it and advertises the dereference control in the rootDSE "
+"object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:810
+msgid ""
+"A dereference lookup is a means of fetching all group members in a single "
+"LDAP call.  Different LDAP servers may implement different dereference "
+"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active "
+"Directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:818
+msgid ""
+"<emphasis>Note:</emphasis> If any of the search bases specifies a search "
+"filter, then the dereference lookup performance enhancement will be disabled "
+"regardless of this setting."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:831
+msgid "ldap_ignore_unreadable_references (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:834
+msgid ""
+"Ignore unreadable LDAP entries referenced in group's member attribute. If "
+"this parameter is set to false an error will be returned and the operation "
+"will fail instead of just ignoring the unreadable entry."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:841
+msgid ""
+"This parameter may be useful when using the AD provider and the computer "
+"account that sssd uses to connect to AD does not have access to a particular "
+"entry or LDAP sub-tree for security reasons."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:854
+msgid "ldap_tls_reqcert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:857
+msgid ""
+"Specifies what checks to perform on server certificates in a TLS session, if "
+"any. It can be specified as one of the following values:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:863
+msgid ""
+"<emphasis>never</emphasis> = The client will not request or check any server "
+"certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:867
+msgid ""
+"<emphasis>allow</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, it will be ignored and the session proceeds normally."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:874
+msgid ""
+"<emphasis>try</emphasis> = The server certificate is requested. If no "
+"certificate is provided, the session proceeds normally. If a bad certificate "
+"is provided, the session is immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:880
+msgid ""
+"<emphasis>demand</emphasis> = The server certificate is requested. If no "
+"certificate is provided, or a bad certificate is provided, the session is "
+"immediately terminated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:886
+msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:890
+msgid "Default: hard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:896
+msgid "ldap_tls_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:899
+msgid ""
+"Specifies the file that contains certificates for all of the Certificate "
+"Authorities that <command>sssd</command> will recognize."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:904 sssd-ldap.5.xml:923 sssd-ldap.5.xml:964
+msgid ""
+"Default: use OpenLDAP defaults, typically in "
+"<filename>/etc/openldap/ldap.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:911
+msgid "ldap_tls_cacertdir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:914
+msgid ""
+"Specifies the path of a directory that contains Certificate Authority "
+"certificates in separate individual files. Typically the file names need to "
+"be the hash of the certificate followed by '.0'.  If available, "
+"<command>openssl rehash</command> or <command>c_rehash</command> can be used "
+"to create the correct names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:930
+msgid "ldap_tls_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:933
+msgid "Specifies the file that contains the certificate for the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:943
+msgid "ldap_tls_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:946
+msgid "Specifies the file that contains the client's key."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:955
+msgid "ldap_tls_cipher_suite (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:958
+msgid ""
+"Specifies acceptable cipher suites.  Typically this is a colon separated "
+"list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:971
+msgid "ldap_id_use_start_tls (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:974
+msgid ""
+"Specifies that the id_provider connection must also use <systemitem "
+"class=\"protocol\">tls</systemitem> to protect the channel.  "
+"<emphasis>true</emphasis> is strongly recommended for security reasons."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:985
+msgid "ldap_id_mapping (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:988
+msgid ""
+"Specifies that SSSD should attempt to map user and group IDs from the "
+"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
+"on ldap_user_uid_number and ldap_group_gid_number."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:994
+msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1004
+msgid "ldap_min_id, ldap_max_id (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1007
+msgid ""
+"In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
+"set to true the allowed ID range for ldap_user_uid_number and "
+"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this "
+"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id "
+"can be set to restrict the allowed range for the IDs which are read directly "
+"from the server. Sub-domains can then pick other ranges to map IDs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1019
+msgid "Default: not set (both options are set to 0)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1025
+msgid "ldap_sasl_mech (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1028
+msgid ""
+"Specify the SASL mechanism to use.  Currently only GSSAPI and GSS-SPNEGO are "
+"tested and supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1032
+msgid ""
+"If the backend supports sub-domains the value of ldap_sasl_mech is "
+"automatically inherited to the sub-domains. If a different value is needed "
+"for a sub-domain it can be overwritten by setting ldap_sasl_mech for this "
+"sub-domain explicitly.  Please see TRUSTED DOMAIN SECTION in "
+"<citerefentry><refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1048
+msgid "ldap_sasl_authid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ldap.5.xml:1060
+#, no-wrap
+msgid ""
+"hostname@REALM\n"
+"netbiosname$@REALM\n"
+"host/hostname@REALM\n"
+"*$@REALM\n"
+"host/*@REALM\n"
+"netbiosname$@*\n"
+"host/*\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1051
+msgid ""
+"Specify the SASL authorization id to use.  When GSSAPI/GSS-SPNEGO are used, "
+"this represents the Kerberos principal used for authentication to the "
+"directory.  This option can either contain the full principal (for example "
+"host/myhost@EXAMPLE.COM) or just the principal name (for example "
+"host/myhost).  By default, the value is not set and the following principals "
+"are used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them "
+"are found, the first principal in keytab is returned."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1072
+msgid "Default: host/hostname@REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1078
+msgid "ldap_sasl_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1081
+msgid ""
+"Specify the SASL realm to use. When not specified, this option defaults to "
+"the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
+"well, this option is ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1087
+msgid "Default: the value of krb5_realm."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1093
+msgid "ldap_sasl_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1096
+msgid ""
+"If set to true, the LDAP library would perform a reverse lookup to "
+"canonicalize the host name during a SASL bind."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1101
+msgid "Default: false;"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1107
+msgid "ldap_krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1110
+msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1119 sssd-krb5.5.xml:247
+msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1125
+msgid "ldap_krb5_init_creds (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1128
+msgid ""
+"Specifies that the id_provider should init Kerberos credentials (TGT).  This "
+"action is performed only if SASL is used and the mechanism selected is "
+"GSSAPI or GSS-SPNEGO."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1140
+msgid "ldap_krb5_ticket_lifetime (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1143
+msgid ""
+"Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is "
+"used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1152 sssd-ad.5.xml:1267
+msgid "Default: 86400 (24 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1158 sssd-krb5.5.xml:74
+msgid "krb5_server, krb5_backup_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1161
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect in the order of "
+"preference. For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled - for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1173 sssd-krb5.5.xml:89
+msgid ""
+"When using service discovery for KDC or kpasswd servers, SSSD first searches "
+"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
+"none are found."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1178 sssd-krb5.5.xml:94
+msgid ""
+"This option was named <quote>krb5_kdcip</quote> in earlier releases of "
+"SSSD. While the legacy name is recognized for the time being, users are "
+"advised to migrate their config files to use <quote>krb5_server</quote> "
+"instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1187 sssd-ipa.5.xml:575 sssd-krb5.5.xml:103
+msgid "krb5_realm (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1190
+msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1194
+msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1200 include/krb5_options.xml:154
+msgid "krb5_canonicalize (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1203
+msgid ""
+"Specifies if the host principal should be canonicalized when connecting to "
+"LDAP server. This feature is available with MIT Kerberos >= 1.7"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1215 sssd-krb5.5.xml:336
+msgid "krb5_use_kdcinfo (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1218 sssd-krb5.5.xml:339
+msgid ""
+"Specifies if the SSSD should instruct the Kerberos libraries what realm and "
+"which KDCs to use. This option is on by default, if you disable it, you need "
+"to configure the Kerberos library using the <citerefentry> "
+"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> configuration file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1229 sssd-krb5.5.xml:350
+msgid ""
+"See the <citerefentry> "
+"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> manual page for more information on "
+"the locator plugin."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1243
+msgid "ldap_pwd_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1246
+msgid ""
+"Select the policy to evaluate the password expiration on the client "
+"side. The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1251
+msgid ""
+"<emphasis>none</emphasis> - No evaluation on the client side. This option "
+"cannot disable server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1256
+msgid ""
+"<emphasis>shadow</emphasis> - Use "
+"<citerefentry><refentrytitle>shadow</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> style attributes to evaluate if the "
+"password has expired.  Please see option \"ldap_chpass_update_last_change\" "
+"as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1264
+msgid ""
+"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
+"to determine if the password has expired. Use chpass_provider=krb5 to update "
+"these attributes when the password is changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1273
+msgid ""
+"<emphasis>Note</emphasis>: if a password policy is configured on server "
+"side, it always takes precedence over policy set with this option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1281
+msgid "ldap_referrals (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1284
+msgid "Specifies whether automatic referral chasing should be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1288
+msgid ""
+"Please note that sssd only supports referral chasing when it is compiled "
+"with OpenLDAP version 2.4.13 or higher."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1293
+msgid ""
+"Chasing referrals may incur a performance penalty in environments that use "
+"them heavily, a notable example is Microsoft Active Directory. If your setup "
+"does not in fact require the use of referrals, setting this option to false "
+"might bring a noticeable performance improvement.  Setting this option to "
+"false is therefore recommended in case the SSSD LDAP provider is used "
+"together with Microsoft Active Directory as a backend. Even if SSSD would be "
+"able to follow the referral to a different AD DC no additional data would be "
+"available."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1312
+msgid "ldap_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1315
+msgid "Specifies the service name to use when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1319
+msgid "Default: ldap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1325
+msgid "ldap_chpass_dns_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1328
+msgid ""
+"Specifies the service name to use to find an LDAP server which allows "
+"password changes when service discovery is enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1333
+msgid "Default: not set, i.e. service discovery is disabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1339
+msgid "ldap_chpass_update_last_change (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1342
+msgid ""
+"Specifies whether to update the ldap_user_shadow_last_change attribute with "
+"days since the Epoch after a password change operation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1348
+msgid ""
+"It is recommended to set this option explicitly if \"ldap_pwd_policy = "
+"shadow\" is used to let SSSD know if the LDAP server will update "
+"shadowLastChange LDAP attribute automatically after a password change or if "
+"SSSD has to update it."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1362
+msgid "ldap_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1365
+msgid ""
+"If using access_provider = ldap and ldap_access_order = filter (default), "
+"this option is mandatory. It specifies an LDAP search filter criteria that "
+"must be met for the user to be granted access on this host. If "
+"access_provider = ldap, ldap_access_order = filter and this option is not "
+"set, it will result in all users being denied access.  Use access_provider = "
+"permit to change this default behavior. Please note that this filter is "
+"applied on the LDAP user entry only and thus filtering based on nested "
+"groups may not work (e.g. memberOf attribute on AD entries points only to "
+"direct parents). If filtering based on nested groups is required, please see "
+"<citerefentry> "
+"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1385
+msgid "Example:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ldap.5.xml:1388
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_filter = (employeeType=admin)\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1392
+msgid ""
+"This example means that access to this host is restricted to users whose "
+"employeeType attribute is set to \"admin\"."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1397
+msgid ""
+"Offline caching for this feature is limited to determining whether the "
+"user's last online login was granted access permission. If they were granted "
+"access during their last login, they will continue to be granted access "
+"while offline and vice versa."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1405 sssd-ldap.5.xml:1461
+msgid "Default: Empty"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1411
+msgid "ldap_account_expire_policy (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1414
+msgid ""
+"With this option a client side evaluation of access control attributes can "
+"be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1418
+msgid ""
+"Please note that it is always recommended to use server side access control, "
+"i.e. the LDAP server should deny the bind request with a suitable error code "
+"even if the password is correct."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1425
+msgid "The following values are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1428
+msgid ""
+"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
+"determine if the account is expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1433
+msgid ""
+"<emphasis>ad</emphasis>: use the value of the 32bit field "
+"ldap_user_ad_user_account_control and allow access if the second bit is not "
+"set. If the attribute is missing access is granted. Also the expiration time "
+"of the account is checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1440
+msgid ""
+"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, "
+"<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check "
+"if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1446
+msgid ""
+"<emphasis>nds</emphasis>: the values of "
+"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
+"ldap_user_nds_login_expiration_time are used to check if access is "
+"allowed. If both attributes are missing access is granted."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1454
+msgid ""
+"Please note that the ldap_access_order configuration option "
+"<emphasis>must</emphasis> include <quote>expire</quote> in order for the "
+"ldap_account_expire_policy option to work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1467
+msgid "ldap_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1470 sssd-ipa.5.xml:405
+msgid "Comma separated list of access control options.  Allowed values are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1474
+msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1477
+msgid ""
+"<emphasis>lockout</emphasis>: use account locking.  If set, this option "
+"denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn.  "
+"Please note that 'access_provider = ldap' must be set for this feature to "
+"work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1487
+msgid ""
+"<emphasis> Please note that this option is superseded by the "
+"<quote>ppolicy</quote> option and might be removed in a future release.  "
+"</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1494
+msgid ""
+"<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
+"denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
+"and has value of '000001010000Z' or represents any time in the past.  The "
+"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which "
+"denotes the UTC time zone.  Other time zones are not currently supported and "
+"will result in \"access-denied\" when users attempt to log in.  Please see "
+"the option ldap_pwdlockout_dn.  Please note that 'access_provider = ldap' "
+"must be set for this feature to work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1511
+msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1515 sssd-ipa.5.xml:413
+msgid ""
+"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
+"pwd_expire_policy_renew: </emphasis> These options are useful if users are "
+"interested in being warned that password is about to expire and "
+"authentication is based on using a different method than passwords - for "
+"example SSH keys."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1525 sssd-ipa.5.xml:423
+msgid ""
+"The difference between these options is the action taken if user password is "
+"expired:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:1530 sssd-ipa.5.xml:428
+msgid "pwd_expire_policy_reject - user is denied to log in,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:1536 sssd-ipa.5.xml:434
+msgid "pwd_expire_policy_warn - user is still able to log in,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ldap.5.xml:1542 sssd-ipa.5.xml:440
+msgid ""
+"pwd_expire_policy_renew - user is prompted to change their password "
+"immediately."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1550
+msgid ""
+"Please note that 'access_provider = ldap' must be set for this feature to "
+"work. Also 'ldap_pwd_policy' must be set to shadow or mit_kerberos, these "
+"options do not work with server-side password policies."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1556
+msgid ""
+"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
+"to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1561
+msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1565
+msgid ""
+"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
+"remote host can access"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1569
+msgid ""
+"Please note, rhost field in pam is set by application, it is better to check "
+"what the application sends to pam, before enabling this access control "
+"option"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1574
+msgid "Default: filter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1577
+msgid ""
+"Please note that it is a configuration error if a value is used more than "
+"once."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1584
+msgid "ldap_pwdlockout_dn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1587
+msgid ""
+"This option specifies the DN of password policy entry on LDAP server. Please "
+"note that absence of this option in sssd.conf in case of enabled account "
+"lockout checking will yield access denied as ppolicy attributes on LDAP "
+"server cannot be checked properly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1595
+msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1598
+msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1604
+msgid "ldap_deref (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1607
+msgid ""
+"Specifies how alias dereferencing is done when performing a search. The "
+"following options are allowed:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1612
+msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1616
+msgid ""
+"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
+"the base object, but not in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1621
+msgid ""
+"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
+"the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1626
+msgid ""
+"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
+"in locating the base object of the search."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1631
+msgid ""
+"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
+"client libraries)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1639
+msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1642
+msgid ""
+"Allows to retain local users as members of an LDAP group for servers that "
+"use the RFC2307 schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1646
+msgid ""
+"In some environments where the RFC2307 schema is used, local users are made "
+"members of LDAP groups by adding their names to the memberUid attribute.  "
+"The self-consistency of the domain is compromised when this is done, so SSSD "
+"would normally remove the \"missing\" users from the cached group "
+"memberships as soon as nsswitch tries to fetch information about the user "
+"via getpw*() or initgroups() calls."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1657
+msgid ""
+"This option falls back to checking if local users are referenced, and caches "
+"them so that later initgroups() calls will augment the local users with the "
+"additional LDAP groups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1669 sssd-ifp.5.xml:158
+msgid "wildcard_limit (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1672
+msgid ""
+"Specifies an upper limit on the number of entries that are downloaded during "
+"a wildcard lookup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1676
+msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1680
+msgid "Default: 1000 (often the size of one page)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1686
+msgid "ldap_library_debug_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1689
+msgid ""
+"Switches on libldap debugging with the given level.  The libldap debug "
+"messages will be written independent of the general debug_level."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1694
+msgid ""
+"OpenLDAP uses a bitmap to enable debugging for specific components, -1 will "
+"enable full debug output."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1699
+msgid "Default: 0 (libldap debugging disabled)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1705
+msgid "ldap_use_ppolicy (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1708
+msgid ""
+"Turns on requesting and relying on the server-side password policy "
+"controls. Disabling this allows interacting with services which send back "
+"invalid ppolicy extension."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1720
+msgid "ldap_ppolicy_pwd_change_threshold (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1723
+msgid ""
+"Forces a password change when server side password policy controls are "
+"enabled and remaining grace logins returned by the server after the "
+"authentication reach or go below the threshold.  Note that the minimum "
+"useful value is 2, as changing the password consumes 2 additional grace "
+"logins, one to verify the current password and a second one to perform the "
+"password change."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:52
+msgid ""
+"All of the common configuration options that apply to SSSD domains also "
+"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
+"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page for full details.  Note "
+"that SSSD LDAP mapping attributes are described in the <citerefentry> "
+"<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1743
+msgid "SUDO OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1745
+msgid ""
+"The detailed instructions for configuration of sudo_provider are in the "
+"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1756
+msgid "ldap_sudo_full_refresh_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1759
+msgid ""
+"How many seconds SSSD will wait between executing a full refresh of sudo "
+"rules (which downloads all rules that are stored on the server)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1764
+msgid ""
+"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval "
+"</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1769
+msgid ""
+"You can disable full refresh by setting this option to 0. However, either "
+"smart or full refresh must be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1774
+msgid "Default: 21600 (6 hours)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1780
+msgid "ldap_sudo_smart_refresh_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1783
+msgid ""
+"How many seconds SSSD has to wait before executing a smart refresh of sudo "
+"rules (which downloads all rules that have USN higher than the highest "
+"server USN value that is currently known by SSSD)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1789
+msgid ""
+"If USN attributes are not supported by the server, the modifyTimestamp "
+"attribute is used instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1793
+msgid ""
+"<emphasis>Note:</emphasis> the highest USN value can be updated by three "
+"tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by "
+"enumeration of users and groups (if enabled and updated users or groups are "
+"found) and 3) by reconnecting to the server (by default every 15 minutes, "
+"see <emphasis>ldap_connection_expire_timeout</emphasis>)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1804
+msgid ""
+"You can disable smart refresh by setting this option to 0. However, either "
+"smart or full refresh must be enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1815
+msgid "ldap_sudo_random_offset (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1818
+msgid ""
+"Random offset between 0 and configured value is added to smart and full "
+"refresh periods each time the periodic task is scheduled. The value is in "
+"seconds."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1824
+msgid ""
+"Note that this random offset is also applied on the first SSSD start which "
+"delays the first sudo rules refresh. This prolongs the time when the sudo "
+"rules are not available for use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1830
+msgid "You can disable this offset by setting the value to 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1840
+msgid "ldap_sudo_use_host_filter (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1843
+msgid ""
+"If true, SSSD will download only rules that are applicable to this machine "
+"(using the IPv4 or IPv6 host/network addresses and hostnames)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1854
+msgid "ldap_sudo_hostnames (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1857
+msgid ""
+"Space separated list of hostnames or fully qualified domain names that "
+"should be used to filter the rules."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1862
+msgid ""
+"If this option is empty, SSSD will try to discover the hostname and the "
+"fully qualified domain name automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1867 sssd-ldap.5.xml:1890 sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1926
+msgid ""
+"If <emphasis>ldap_sudo_use_host_filter</emphasis> is "
+"<emphasis>false</emphasis> then this option has no effect."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1872 sssd-ldap.5.xml:1895
+msgid "Default: not specified"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1878
+msgid "ldap_sudo_ip (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1881
+msgid ""
+"Space separated list of IPv4 or IPv6 host/network addresses that should be "
+"used to filter the rules."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1886
+msgid ""
+"If this option is empty, SSSD will try to discover the addresses "
+"automatically."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1901
+msgid "ldap_sudo_include_netgroups (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1904
+msgid ""
+"If true then SSSD will download every rule that contains a netgroup in "
+"sudoHost attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1919
+msgid "ldap_sudo_include_regexp (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1922
+msgid ""
+"If true then SSSD will download every rule that contains a wildcard in "
+"sudoHost attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para>
+#: sssd-ldap.5.xml:1932
+msgid ""
+"Using wildcard is an operation that is very costly to evaluate on the LDAP "
+"server side!"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1944
+msgid ""
+"This manual page only describes attribute name mapping.  For detailed "
+"explanation of sudo related attribute semantics, see <citerefentry> "
+"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1954
+msgid "AUTOFS OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1956
+msgid ""
+"Some of the defaults for the parameters below are dependent on the LDAP "
+"schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1962
+msgid "ldap_autofs_map_master_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1965
+msgid "The name of the automount master map in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:1968
+msgid "Default: auto.master"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:1979
+msgid "ADVANCED OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1986
+msgid "ldap_netgroup_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1991
+msgid "ldap_user_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:1996
+msgid "ldap_group_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
+#: sssd-ldap.5.xml:2001
+msgid "<note>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
+#: sssd-ldap.5.xml:2003
+msgid ""
+"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
+"against Active Directory will not be restricted and return all groups "
+"memberships, even with no GID mapping. It is recommended to disable this "
+"feature, if group names are not being displayed correctly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist>
+#: sssd-ldap.5.xml:2010
+msgid "</note>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:2012
+msgid "ldap_sudo_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:2017
+msgid "ldap_autofs_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:1981
+msgid ""
+"These options are supported by LDAP domains, but they should be used with "
+"caution. Please include them in your configuration only if you know what you "
+"are doing.  <placeholder type=\"variablelist\" id=\"0\"/> <placeholder "
+"type=\"variablelist\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:2032 sssd-simple.5.xml:169 sssd-ipa.5.xml:984
+#: sssd-ad.5.xml:1470 sssd-idp.5.xml:248 sssd-krb5.5.xml:483
+#: sss_rpcidmapd.5.xml:98 sssd-session-recording.5.xml:176
+msgid "EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:2034
+msgid ""
+"The following example assumes that SSSD is correctly configured and LDAP is "
+"set to one of the domains in the <replaceable>[domains]</replaceable> "
+"section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:2040
+#, no-wrap
+msgid ""
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"auth_provider = ldap\n"
+"ldap_uri = ldap://ldap.mydomain.org\n"
+"ldap_search_base = dc=mydomain,dc=org\n"
+"ldap_tls_reqcert = demand\n"
+"cache_credentials = true\n"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: sssd-ldap.5.xml:2039 sssd-ldap.5.xml:2057 sssd-simple.5.xml:177
+#: sssd-ipa.5.xml:992 sssd-ad.5.xml:1478 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492
+#: sssd-session-recording.5.xml:182 include/ldap_id_mapping.xml:105
+msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:2051
+msgid "LDAP ACCESS FILTER EXAMPLE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:2053
+msgid ""
+"The following example assumes that SSSD is correctly configured and to use "
+"the ldap_access_order=lockout."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ldap.5.xml:2058
+#, no-wrap
+msgid ""
+"[domain/LDAP]\n"
+"id_provider = ldap\n"
+"auth_provider = ldap\n"
+"access_provider = ldap\n"
+"ldap_access_order = lockout\n"
+"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n"
+"ldap_uri = ldap://ldap.mydomain.org\n"
+"ldap_search_base = dc=mydomain,dc=org\n"
+"ldap_tls_reqcert = demand\n"
+"cache_credentials = true\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap.5.xml:2073 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:189
+#: sssd-ad.5.xml:1493 sssd.8.xml:270 sss_seed.8.xml:163
+msgid "NOTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap.5.xml:2075
+msgid ""
+"The descriptions of some of the configuration options in this manual page "
+"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
+"distribution."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss.8.xml:11 pam_sss.8.xml:16
+msgid "pam_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: pam_sss.8.xml:12 pam_sss_gss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11
+#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11
+#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11
+#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11
+#: sssd_krb5_localauth_plugin.8.xml:11
+msgid "8"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss.8.xml:17
+msgid "PAM module for SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss.8.xml:22
+msgid ""
+"<command>pam_sss.so</command> <arg choice='opt'> "
+"<replaceable>quiet</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>retry=N</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>ignore_unknown_user</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>ignore_authinfo_unavail</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>domains=X</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>allow_missing_name</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>prompt_always</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>try_cert_auth</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>require_cert_auth</replaceable> </arg> <arg choice='opt'> "
+"<replaceable>allow_chauthtok_by_root</replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:67
+msgid ""
+"<command>pam_sss.so</command> is the PAM interface to the System Security "
+"Services daemon (SSSD). Errors and results are logged through "
+"<command>syslog(3)</command> with the LOG_AUTHPRIV facility."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:73 pam_sss_gss.8.xml:89 sssd.8.xml:42 sss_obfuscate.8.xml:58
+#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123
+#: sss_ssh_knownhosts.1.xml:59
+msgid "OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:77
+msgid "<option>quiet</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:80
+msgid "Suppress log messages for unknown users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:85
+msgid "<option>forward_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:88
+msgid ""
+"If <option>forward_pass</option> is set the entered password is put on the "
+"stack for other PAM modules to use."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:95
+msgid "<option>use_first_pass</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:98
+msgid ""
+"The argument use_first_pass forces the module to use a previous stacked "
+"modules password and will never prompt the user - if no password is "
+"available or the password is not appropriate, the user will be denied "
+"access."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:106
+msgid "<option>use_authtok</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:109
+msgid ""
+"When password changing enforce the module to set the new password to the one "
+"provided by a previously stacked password module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:116
+msgid "<option>retry=N</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:119
+msgid ""
+"If specified the user is asked another N times for a password if "
+"authentication fails. Default is 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:121
+msgid ""
+"Please note that this option might not work as expected if the application "
+"calling PAM handles the user dialog on its own. A typical example is "
+"<command>sshd</command> with <option>PasswordAuthentication</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:130
+msgid "<option>ignore_unknown_user</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:133
+msgid ""
+"If this option is specified and the user does not exist, the PAM module will "
+"return PAM_IGNORE. This causes the PAM framework to ignore this module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:140
+msgid "<option>ignore_authinfo_unavail</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:144
+msgid ""
+"Specifies that the PAM module should return PAM_IGNORE if it cannot contact "
+"the SSSD daemon. This causes the PAM framework to ignore this module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:151
+msgid "<option>domains</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:155
+msgid ""
+"Allows the administrator to restrict the domains a particular PAM service is "
+"allowed to authenticate against. The format is a comma-separated list of "
+"SSSD domain names, as specified in the sssd.conf file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:161
+msgid ""
+"NOTE: If this is used for a service not running as root user, e.g. a "
+"web-server, it must be used in conjunction with the "
+"<quote>pam_trusted_users</quote> and <quote>pam_public_domains</quote> "
+"options.  Please see the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page for more information on these two PAM responder "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:176
+msgid "<option>allow_missing_name</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:180
+msgid ""
+"The main purpose of this option is to let SSSD determine the user name based "
+"on additional information, e.g. the certificate from a Smartcard."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: pam_sss.8.xml:190
+#, no-wrap
+msgid ""
+"auth sufficient pam_sss.so allow_missing_name\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:185
+msgid ""
+"The current use case are login managers which can monitor a Smartcard reader "
+"for card events. In case a Smartcard is inserted the login manager will call "
+"a PAM stack which includes a line like <placeholder type=\"programlisting\" "
+"id=\"0\"/> In this case SSSD will try to determine the user name based on "
+"the content of the Smartcard, returns it to pam_sss which will finally put "
+"it on the PAM stack."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:200
+msgid "<option>prompt_always</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:204
+msgid ""
+"Always prompt the user for credentials. With this option credentials "
+"requested by other PAM modules, typically a password, will be ignored and "
+"pam_sss will prompt for credentials again. Based on the pre-auth reply by "
+"SSSD pam_sss might prompt for a password, a Smartcard PIN or other "
+"credentials."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:215
+msgid "<option>try_cert_auth</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:219
+msgid ""
+"Try to use certificate based authentication, i.e.  authentication with a "
+"Smartcard or similar devices. If a Smartcard is available and the service is "
+"allowed for Smartcard authentication the user will be prompted for a PIN and "
+"the certificate based authentication will continue"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:227
+msgid ""
+"If no Smartcard is available or certificate based authentication is not "
+"allowed for the current service PAM_AUTHINFO_UNAVAIL is returned."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:235
+msgid "<option>require_cert_auth</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:239
+msgid ""
+"Do certificate based authentication, i.e.  authentication with a Smartcard "
+"or similar devices. If a Smartcard is not available the user will be "
+"prompted to insert one. SSSD will wait for a Smartcard until the timeout "
+"defined by p11_wait_for_card_timeout passed, please see "
+"<citerefentry><refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:249
+msgid ""
+"If no Smartcard is available after the timeout or certificate based "
+"authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL "
+"is returned."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:257
+msgid "<option>allow_chauthtok_by_root</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:261
+msgid ""
+"By default the chauthtok PAM action will short-circuit to returning "
+"PAM_SUCCESS when pam_sss.so is invoked by root user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:266
+msgid ""
+"This option disables this behavior allowing to change auth tokens when "
+"running as root."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:275 pam_sss_gss.8.xml:103
+msgid "MODULE TYPES PROVIDED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:276
+msgid ""
+"All module types (<option>account</option>, <option>auth</option>, "
+"<option>password</option> and <option>session</option>) are provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:279
+msgid ""
+"If SSSD's PAM responder is not running, e.g. if the PAM responder socket is "
+"not available, pam_sss will return PAM_USER_UNKNOWN when called as "
+"<option>account</option> module to avoid issues with users from other "
+"sources during access control."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:286 pam_sss_gss.8.xml:108
+msgid "RETURN VALUES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:289 pam_sss_gss.8.xml:111
+msgid "PAM_SUCCESS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:292 pam_sss_gss.8.xml:114
+msgid "The PAM operation finished successfully."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:297 pam_sss_gss.8.xml:119
+msgid "PAM_USER_UNKNOWN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:300
+msgid ""
+"The user is not known to the authentication service or the SSSD's PAM "
+"responder is not running."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:306 pam_sss_gss.8.xml:128
+msgid "PAM_AUTH_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:309
+msgid ""
+"Authentication failure. Also, could be returned when there is a problem with "
+"getting the certificate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:315
+msgid "PAM_PERM_DENIED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:318
+msgid ""
+"Permission denied. The SSSD log files may contain additional information "
+"about the error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:324
+msgid "PAM_IGNORE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:327
+msgid ""
+"See options <option>ignore_unknown_user</option> and "
+"<option>ignore_authinfo_unavail</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:333
+msgid "PAM_AUTHTOK_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:336
+msgid ""
+"Unable to obtain the new authentication token. Also, could be returned when "
+"the user authenticates with certificates and multiple certificates are "
+"available, but the installed version of GDM does not support selection from "
+"multiple certificates."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:344 pam_sss_gss.8.xml:136
+msgid "PAM_AUTHINFO_UNAVAIL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:347 pam_sss_gss.8.xml:139
+msgid ""
+"Unable to access the authentication information.  This might be due to a "
+"network or hardware failure."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:353
+msgid "PAM_BUF_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:356
+msgid ""
+"A memory error occurred. Also, could be returned when options use_first_pass "
+"or use_authtok were set, but no password was found from the previously "
+"stacked PAM module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:363 pam_sss_gss.8.xml:145
+msgid "PAM_SYSTEM_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:366 pam_sss_gss.8.xml:148
+msgid ""
+"A system error occurred. The SSSD log files may contain additional "
+"information about the error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:372
+msgid "PAM_CRED_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:375
+msgid "Unable to set the credentials of the user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:380
+msgid "PAM_CRED_INSUFFICIENT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:383
+msgid ""
+"The application does not have sufficient credentials to authenticate the "
+"user. For example, missing PIN during smartcard authentication or missing "
+"factor during two-factor authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:391
+msgid "PAM_SERVICE_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:394
+msgid "Error in service module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:399
+msgid "PAM_NEW_AUTHTOK_REQD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:402
+msgid "The user's authentication token has expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:407
+msgid "PAM_ACCT_EXPIRED"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:410
+msgid "The user account has expired."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:415
+msgid "PAM_SESSION_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:418
+msgid "Unable to fetch IPA Desktop Profile rules or user info."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:423
+msgid "PAM_CRED_UNAVAIL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:426
+msgid "Unable to retrieve Kerberos user credentials."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:431
+msgid "PAM_NO_MODULE_DATA"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:434
+msgid ""
+"No authentication method was found by Kerberos.  This might happen if the "
+"user has a Smartcard assigned but the pkint plugin is not available on the "
+"client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:441
+msgid "PAM_CONV_ERR"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:444
+msgid "Conversation failure."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:449
+msgid "PAM_AUTHTOK_LOCK_BUSY"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:452
+msgid "No KDC suitable for password change is available."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:457
+msgid "PAM_ABORT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:460
+msgid "Unknown PAM call."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:465
+msgid "PAM_MODULE_UNKNOWN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:468
+msgid "Unsupported PAM task or command."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss.8.xml:473
+msgid "PAM_BAD_ITEM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss.8.xml:476
+msgid "The authentication module cannot handle Smartcard credentials."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss.8.xml:484
+msgid "FILES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:485
+msgid ""
+"If a password reset by root fails, because the corresponding SSSD provider "
+"does not support password resets, an individual message can be "
+"displayed. This message can e.g. contain instructions about how to reset a "
+"password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:490
+msgid ""
+"The message is read from the file "
+"<filename>pam_sss_pw_reset_message.LOC</filename> where LOC stands for a "
+"locale string returned by <citerefentry> "
+"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> "
+"</citerefentry>. If there is no matching file the content of "
+"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
+"the owner of the files and only root may have read and write permissions "
+"while all other users must have only read permissions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss.8.xml:500
+msgid ""
+"These files are searched in the directory "
+"<filename>/etc/sssd/customize/DOMAIN_NAME/</filename>. If no matching file "
+"is present a generic message is displayed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: pam_sss_gss.8.xml:11 pam_sss_gss.8.xml:16
+msgid "pam_sss_gss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: pam_sss_gss.8.xml:17
+msgid "PAM module for SSSD GSSAPI authentication"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: pam_sss_gss.8.xml:22
+msgid ""
+"<command>pam_sss_gss.so</command> <arg choice='opt'> "
+"<replaceable>debug</replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:32
+msgid ""
+"<command>pam_sss_gss.so</command> authenticates user over GSSAPI in "
+"cooperation with SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:36
+msgid ""
+"This module will try to authenticate the user using the GSSAPI hostbased "
+"service name host@hostname which translates to host/hostname@REALM Kerberos "
+"principal. The <emphasis>REALM</emphasis> part of the Kerberos principal "
+"name is derived by Kerberos internal mechanisms and it can be set explicitly "
+"in configuration of [domain_realm] section in /etc/krb5.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:44
+msgid ""
+"SSSD is used to provide desired service name and to validate the user's "
+"credentials using GSSAPI calls. If the service ticket is already present in "
+"the Kerberos credentials cache or if user's ticket granting ticket can be "
+"used to get the correct service ticket then the user will be authenticated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:51
+msgid ""
+"If <option>pam_gssapi_check_upn</option> is True (default) then SSSD "
+"requires that the credentials used to obtain the service tickets can be "
+"associated with the user. This means that the principal that owns the "
+"Kerberos credentials must match with the user principal name as defined in "
+"LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:58
+msgid ""
+"To enable GSSAPI authentication in SSSD, set "
+"<option>pam_gssapi_services</option> option in [pam] or domain section of "
+"sssd.conf. The service credentials need to be stored in SSSD's keytab (it is "
+"already present if you use ipa or ad provider). The keytab location can be "
+"set with <option>krb5_keytab</option> option. See <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> and <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> for more details on these options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:74
+msgid ""
+"Some Kerberos deployments allow to associate authentication indicators with "
+"a particular pre-authentication method used to obtain the ticket granting "
+"ticket by the user.  <command>pam_sss_gss.so</command> allows to enforce "
+"presence of authentication indicators in the service tickets before a "
+"particular PAM service can be accessed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:82
+msgid ""
+"If <option>pam_gssapi_indicators_map</option> is set in the [pam] or domain "
+"section of sssd.conf, then SSSD will perform a check of the presence of any "
+"configured indicators in the service ticket."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: pam_sss_gss.8.xml:93
+msgid "<option>debug</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss_gss.8.xml:96
+msgid "Print debugging information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:104
+msgid "Only the <option>auth</option> module type is provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss_gss.8.xml:122
+msgid ""
+"The user is not known to the authentication service or the GSSAPI "
+"authentication is not supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: pam_sss_gss.8.xml:131
+msgid "Authentication failure."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:159
+msgid ""
+"The main use case is to provide password-less authentication in sudo but "
+"without the need to disable authentication completely.  To achieve this, "
+"first enable GSSAPI authentication for sudo in sssd.conf:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: pam_sss_gss.8.xml:165
+#, no-wrap
+msgid ""
+"[domain/MYDOMAIN]\n"
+"pam_gssapi_services = sudo, sudo-i\n"
+"        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:169
+msgid ""
+"And then enable the module in desired PAM stack (e.g. /etc/pam.d/sudo and "
+"/etc/pam.d/sudo-i)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: pam_sss_gss.8.xml:173
+#, no-wrap
+msgid ""
+"...\n"
+"auth sufficient pam_sss_gss.so\n"
+"...\n"
+"        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: pam_sss_gss.8.xml:180
+msgid "TROUBLESHOOTING"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:182
+msgid ""
+"SSSD logs, pam_sss_gss debug output and syslog may contain helpful "
+"information about the error. Here are some common issues:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:186
+msgid ""
+"1. I have KRB5CCNAME environment variable set and the authentication does "
+"not work: Depending on your sudo version, it is possible that sudo does not "
+"pass this variable to the PAM environment. Try adding KRB5CCNAME to "
+"<option>env_keep</option> in /etc/sudoers or in your LDAP sudo rules default "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:193
+msgid ""
+"2. Authentication does not work and syslog contains \"Server not found in "
+"Kerberos database\": Kerberos is probably not able to resolve correct realm "
+"for the service ticket based on the hostname.  Try adding the hostname "
+"directly to <option>[domain_realm]</option> in /etc/krb5.conf like so:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:200
+msgid ""
+"3. Authentication does not work and syslog contains \"No Kerberos "
+"credentials available\": You don't have any credentials that can be used to "
+"obtain the required service ticket. Use kinit or authenticate over SSSD to "
+"acquire those credentials."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: pam_sss_gss.8.xml:206
+msgid ""
+"4. Authentication does not work and SSSD sssd-pam log contains \"User with "
+"UPN [$UPN] was not found.\" or \"UPN [$UPN] does not match target user "
+"[$username].\": You are using credentials that can not be mapped to the user "
+"that is being authenticated. Try to use kswitch to select different "
+"principal, make sure you authenticated with SSSD or consider disabling "
+"<option>pam_gssapi_check_upn</option>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: pam_sss_gss.8.xml:214
+#, no-wrap
+msgid ""
+"[domain_realm]\n"
+".myhostname = MYREALM\n"
+"        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
+msgid "sssd_krb5_locator_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd_krb5_locator_plugin.8.xml:16
+msgid "Kerberos locator plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:22
+msgid ""
+"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
+"used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such "
+"a plugin to guide all Kerberos clients on a system to a single KDC. In "
+"general it should not matter to which KDC a client process is talking to.  "
+"But there are cases, e.g. after a password change, where not all KDCs are in "
+"the same state because the new data has to be replicated first. To avoid "
+"unexpected authentication failures and maybe even account lockings it would "
+"be good to talk to a single KDC as long as possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:34
+msgid ""
+"libkrb5 will search the locator plugin in the libkrb5 sub-directory of the "
+"Kerberos plugin directory, see plugin_base_dir in <citerefentry> "
+"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for details. The plugin can only be disabled by removing the "
+"plugin file. There is no option in the Kerberos configuration to disable "
+"it. But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to "
+"disable the plugin for individual commands. Alternatively the SSSD option "
+"krb5_use_kdcinfo=False can be used to not generate the data needed by the "
+"plugin. With this the plugin is still called but will provide no data to the "
+"caller so that libkrb5 can fall back to other methods defined in krb5.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:50
+msgid ""
+"The plugin reads the information about the KDCs of a given realm from a file "
+"called <filename>kdcinfo.REALM</filename>. The file should contain one or "
+"more DNS names or IP addresses either in dotted-decimal IPv4 notation or the "
+"hexadecimal IPv6 notation.  An optional port number can be added to the end "
+"separated with a colon, the IPv6 address has to be enclosed in squared "
+"brackets in this case as usual. Valid entries are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd_krb5_locator_plugin.8.xml:58
+msgid "kdc.example.com"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd_krb5_locator_plugin.8.xml:59
+msgid "kdc.example.com:321"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd_krb5_locator_plugin.8.xml:60
+msgid "1.2.3.4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd_krb5_locator_plugin.8.xml:61
+msgid "5.6.7.8:99"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd_krb5_locator_plugin.8.xml:62
+msgid "2001:db8:85a3::8a2e:370:7334"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd_krb5_locator_plugin.8.xml:63
+msgid "[2001:db8:85a3::8a2e:370:7334]:321"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:65
+msgid ""
+"SSSD's krb5 auth-provider which is used by the IPA and AD providers as well "
+"adds the address of the current KDC or domain controller SSSD is using to "
+"this file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:70
+msgid ""
+"In environments with read-only and read-write KDCs where clients are "
+"expected to use the read-only instances for the general operations and only "
+"the read-write KDC for config changes like password changes a "
+"<filename>kpasswdinfo.REALM</filename> is used as well to identify "
+"read-write KDCs. If this file exists for the given realm the content will be "
+"used by the plugin to reply to requests for a kpasswd or kadmin server or "
+"for the MIT Kerberos specific master KDC. If the address contains a port "
+"number the default KDC port 88 will be used for the latter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:85
+msgid ""
+"Not all Kerberos implementations support the use of plugins. If "
+"<command>sssd_krb5_locator_plugin</command> is not available on your system "
+"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:91
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
+"debug messages will be sent to stderr."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:95
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value "
+"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the "
+"caller."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_locator_plugin.8.xml:100
+msgid ""
+"If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to "
+"any value plugin will try to resolve all DNS names in kdcinfo file. By "
+"default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on "
+"first DNS resolving failure."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
+msgid "sssd-simple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-simple.5.xml:17
+msgid "the configuration file for SSSD's 'simple' access-control provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:24
+msgid ""
+"This manual page describes the configuration of the simple access-control "
+"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  For a detailed syntax reference, "
+"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:38
+msgid ""
+"The simple access provider grants or denies access based on an access or "
+"deny list of user or group names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:42
+msgid ""
+"Groups from other domains configured in sssd.conf, even if the simple access "
+"provider is used there as well, and groups managed outside of SSSD are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:47
+msgid "The following rules apply:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:51
+msgid ""
+"It is not recommended to leave an option empty, it might cause errors. If "
+"you want to allow all users, do not specify any `simple_allow_users` or "
+"`simple_allow_groups`."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:58
+msgid ""
+"If any list is provided, the order of evaluation is: allow → deny. This "
+"means that any matching deny rule will supersede any matched allow rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:65
+msgid ""
+"If either or both \"allow\" lists are provided, all users are denied unless "
+"they appear in at least one of these lists (OR condition)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-simple.5.xml:72
+msgid ""
+"If either or both \"deny\" lists are provided, all users are granted access "
+"unless they appear in at least one of these lists (OR condition)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:91
+msgid "simple_allow_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:94
+msgid ""
+"Comma-separated list of users who are allowed to log in. If this option is "
+"specified, all other users are denied unless they are members of groups "
+"listed in`simple_allow_groups`."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:103
+msgid "simple_deny_users (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:106
+msgid ""
+"Comma-separated list of users who are explicitly denied access. If this "
+"option is specified, these users will be denied regardless of whether they "
+"appear in `simple_allow_users` or `simple_allow_groups`."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:112
+msgid ""
+"OR Logic Applies: A user will be denied access if they are listed in "
+"`simple_deny_users` or if they are a member of a group in "
+"`simple_deny_groups`."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:120
+msgid "simple_allow_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:123
+msgid ""
+"Comma-separated list of groups that are allowed to log in. If this option is "
+"specified, all other users are denied unless they are explicitly listed in "
+"`simple_allow_users`."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:129
+msgid ""
+"OR Logic Applies: A user can log in if they are listed in "
+"`simple_allow_users` or if they belong to a group in `simple_allow_groups`."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:134 sssd-simple.5.xml:154
+msgid ""
+"This applies only to groups within this SSSD domain.  Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-simple.5.xml:141
+msgid "simple_deny_groups (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:144
+msgid ""
+"Comma-separated list of groups that are explicitly denied access. This "
+"applies only to groups within this SSSD domain. Local groups are not "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-simple.5.xml:149
+msgid ""
+"OR Logic Applies: A user will be denied access if they are listed in "
+"`simple_deny_users` or if they are a member of any group in "
+"`simple_deny_groups`."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:83 sssd-ipa.5.xml:83 sssd-ad.5.xml:131 sssd-idp.5.xml:55
+msgid ""
+"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page for details on the configuration of an SSSD "
+"domain.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:162
+msgid ""
+"Specifying no values for any of the lists is equivalent to skipping it "
+"entirely. Beware of this while generating parameters for the simple provider "
+"using automated scripts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:171
+msgid ""
+"The following example assumes that SSSD is correctly configured and "
+"example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
+"section. This example shows only the simple access provider-specific "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-simple.5.xml:178
+#, no-wrap
+msgid ""
+"[domain/example.com]\n"
+"access_provider = simple\n"
+"simple_allow_users = user1, user2\n"
+"simple_deny_users = user3, user4\n"
+"simple_allow_groups = allowed_group1\n"
+"simple_deny_groups = denied_group1\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-simple.5.xml:191
+msgid ""
+"The complete group membership hierarchy is resolved before the access check, "
+"thus even nested groups can be included in the access lists.  Please be "
+"aware that the <quote>ldap_group_nesting_level</quote> option may impact the "
+"results and should be set to a sufficient value.  (<citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>) option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss-certmap.5.xml:10 sss-certmap.5.xml:16
+msgid "sss-certmap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss-certmap.5.xml:17
+msgid "SSSD Certificate Matching and Mapping Rules"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss-certmap.5.xml:23
+msgid ""
+"The manual page describes the rules which can be used by SSSD and other "
+"components to match X.509 certificates and map them to accounts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss-certmap.5.xml:28
+msgid ""
+"Each rule has four components, a <quote>priority</quote>, a <quote>matching "
+"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain "
+"list</quote>. All components are optional. A missing <quote>priority</quote> "
+"will add the rule with the lowest priority.  The default <quote>matching "
+"rule</quote> will match certificates with the digitalSignature key usage and "
+"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty "
+"the certificates will be searched in the userCertificate attribute as DER "
+"encoded binary. If no domains are given only the local domain will be "
+"searched."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss-certmap.5.xml:39
+msgid ""
+"To allow extensions or completely different style of rule the "
+"<quote>mapping</quote> and <quote>matching rules</quote> can contain a "
+"prefix separated with a ':' from the main part of the rule. The prefix may "
+"only contain upper-case ASCII letters and numbers. If the prefix is omitted "
+"the default type will be used which is 'KRB5' for the matching rules and "
+"'LDAP' for the mapping rules."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss-certmap.5.xml:48
+msgid ""
+"The 'sssctl' utility provides the 'cert-eval-rule' command to check if a "
+"given certificate matches a matching rules and how the output of a mapping "
+"rule would look like."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss-certmap.5.xml:55
+msgid "RULE COMPONENTS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sss-certmap.5.xml:57
+msgid "PRIORITY"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:59
+msgid ""
+"The rules are processed by priority while the number '0' (zero)  indicates "
+"the highest priority. The higher the number the lower is the priority. A "
+"missing value indicates the lowest priority. The rules processing is stopped "
+"when a matched rule is found and no further rules are checked."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:66
+msgid ""
+"Internally the priority is treated as unsigned 32bit integer, using a "
+"priority value larger than 4294967295 will cause an error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:70
+msgid ""
+"If multiple rules have the same priority and only one of the related "
+"matching rules applies, this rule will be chosen. If there are multiple "
+"rules with the same priority which matches, one is chosen but which one is "
+"undefined. To avoid this undefined behavior either use different priorities "
+"or make the matching rules more specific e.g. by using distinct "
+"&lt;ISSUER&gt; patterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sss-certmap.5.xml:79
+msgid "MATCHING RULE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:81
+msgid ""
+"The matching rule is used to select a certificate to which the mapping rule "
+"should be applied. It uses a system similar to the one used by "
+"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a "
+"keyword enclosed by '&lt;' and '&gt;' which identified a certain part of the "
+"certificate and a pattern which should be found for the rule to "
+"match. Multiple keyword pattern pairs can be either joined with '&amp;&amp;' "
+"(and) or '&#124;&#124;' (or)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:90
+msgid ""
+"Given the similarity to MIT Kerberos the type prefix for this rule is "
+"'KRB5'. But 'KRB5' will also be the default for <quote>matching "
+"rules</quote> so that \"&lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN\" and "
+"\"KRB5:&lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN\" are equivalent."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:99
+msgid "&lt;SUBJECT&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:102
+msgid ""
+"With this a part or the whole subject name of the certificate can be "
+"matched. For the matching POSIX Extended Regular Expression syntax is used, "
+"see regex(7)  for details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:108
+msgid ""
+"For the matching the subject name stored in the certificate in DER encoded "
+"ASN.1 is converted into a string according to RFC 4514. This means the most "
+"specific name component comes first. Please note that not all possible "
+"attribute names are covered by RFC 4514. The names included are 'CN', 'L', "
+"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might "
+"be shown differently on different platform and by different tools. To avoid "
+"confusion those attribute names are best not used or covered by a suitable "
+"regular-expression."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:121
+msgid "Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:124
+msgid ""
+"Please note that the characters \"^.[$()|*+?{\\\" have a special meaning in "
+"regular expressions and must be escaped with the help of the '\\' character "
+"so that they are matched as ordinary characters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:130
+msgid "Example: &lt;SUBJECT&gt;^CN=.* \\(Admin\\),DC=MY,DC=DOMAIN$"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:135
+msgid "&lt;ISSUER&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:138
+msgid ""
+"With this a part or the whole issuer name of the certificate can be "
+"matched. All comments for &lt;SUBJECT&gt; apply her as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:143
+msgid "Example: &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:148
+msgid "&lt;KU&gt;key-usage"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:151
+msgid ""
+"This option can be used to specify which key usage values the certificate "
+"should have. The following values can be used in a comma separated list:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:155
+msgid "digitalSignature"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:156
+msgid "nonRepudiation"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:157
+msgid "keyEncipherment"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:158
+msgid "dataEncipherment"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:159
+msgid "keyAgreement"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:160
+msgid "keyCertSign"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:161
+msgid "cRLSign"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:162
+msgid "encipherOnly"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:163
+msgid "decipherOnly"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:167
+msgid ""
+"A numerical value in the range of a 32bit unsigned integer can be used as "
+"well to cover special use cases."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:171
+msgid "Example: &lt;KU&gt;digitalSignature,keyEncipherment"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:176
+msgid "&lt;EKU&gt;extended-key-usage"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:179
+msgid ""
+"This option can be used to specify which extended key usage the certificate "
+"should have. The following value can be used in a comma separated list:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:183
+msgid "serverAuth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:184
+msgid "clientAuth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:185
+msgid "codeSigning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:186
+msgid "emailProtection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:187
+msgid "timeStamping"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:188
+msgid "OCSPSigning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:189
+msgid "KPClientAuth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:190
+msgid "pkinit"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sss-certmap.5.xml:191
+msgid "msScLogin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:195
+msgid ""
+"Extended key usages which are not listed above can be specified with their "
+"OID in dotted-decimal notation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:199
+msgid "Example: &lt;EKU&gt;clientAuth,1.3.6.1.5.2.3.4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:204
+msgid "&lt;SAN&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:207
+msgid ""
+"To be compatible with the usage of MIT Kerberos this option will match the "
+"Kerberos principals in the PKINIT or AD NT Principal SAN as "
+"&lt;SAN:Principal&gt; does."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:212
+msgid "Example: &lt;SAN&gt;.*@MY\\.REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:217
+msgid "&lt;SAN:Principal&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:220
+msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:224
+msgid "Example: &lt;SAN:Principal&gt;.*@MY\\.REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:229
+msgid "&lt;SAN:ntPrincipalName&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:232
+msgid "Match the Kerberos principals from the AD NT Principal SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:236
+msgid "Example: &lt;SAN:ntPrincipalName&gt;.*@MY.AD.REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:241
+msgid "&lt;SAN:pkinit&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:244
+msgid "Match the Kerberos principals from the PKINIT SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:247
+msgid "Example: &lt;SAN:ntPrincipalName&gt;.*@MY\\.PKINIT\\.REALM"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:252
+msgid "&lt;SAN:dotted-decimal-oid&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:255
+msgid ""
+"Take the value of the otherName SAN component given by the OID in "
+"dotted-decimal notation, interpret it as string and try to match it against "
+"the regular expression."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:261
+msgid "Example: &lt;SAN:1.2.3.4&gt;test"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:266
+msgid "&lt;SAN:otherName&gt;base64-string"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:269
+msgid ""
+"Do a binary match with the base64 encoded blob against all otherName SAN "
+"components. With this option it is possible to match against custom "
+"otherName components with special encodings which could not be treated as "
+"strings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:276
+msgid "Example: &lt;SAN:otherName&gt;MTIz"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:281
+msgid "&lt;SAN:rfc822Name&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:284
+msgid "Match the value of the rfc822Name SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:287
+msgid "Example: &lt;SAN:rfc822Name&gt;.*@email\\.domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:292
+msgid "&lt;SAN:dNSName&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:295
+msgid "Match the value of the dNSName SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:298
+msgid "Example: &lt;SAN:dNSName&gt;.*\\.my\\.dns\\.domain"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:303
+msgid "&lt;SAN:x400Address&gt;base64-string"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:306
+msgid "Binary match the value of the x400Address SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:309
+msgid "Example: &lt;SAN:x400Address&gt;MTIz"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:314
+msgid "&lt;SAN:directoryName&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:317
+msgid ""
+"Match the value of the directoryName SAN. The same comments as given for "
+"&lt;ISSUER&gt; and &lt;SUBJECT&gt; apply here as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:322
+msgid "Example: &lt;SAN:directoryName&gt;.*,DC=com"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:327
+msgid "&lt;SAN:ediPartyName&gt;base64-string"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:330
+msgid "Binary match the value of the ediPartyName SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:333
+msgid "Example: &lt;SAN:ediPartyName&gt;MTIz"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:338
+msgid "&lt;SAN:uniformResourceIdentifier&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:341
+msgid "Match the value of the uniformResourceIdentifier SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:344
+msgid "Example: &lt;SAN:uniformResourceIdentifier&gt;URN:.*"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:349
+msgid "&lt;SAN:iPAddress&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:352
+msgid "Match the value of the iPAddress SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:355
+msgid "Example: &lt;SAN:iPAddress&gt;192\\.168\\..*"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:360
+msgid "&lt;SAN:registeredID&gt;regular-expression"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:363
+msgid "Match the value of the registeredID SAN as dotted-decimal string."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:367
+msgid "Example: &lt;SAN:registeredID&gt;1\\.2\\.3\\..*"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:96
+msgid "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sss-certmap.5.xml:375
+msgid "MAPPING RULE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:377
+msgid ""
+"The mapping rule is used to associate a certificate with one or more "
+"accounts. A Smartcard with the certificate and the matching private key can "
+"then be used to authenticate as one of those accounts."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:382
+msgid ""
+"Currently SSSD basically only supports LDAP to lookup user information (the "
+"exception is the proxy provider which is not of relevance here). Because of "
+"this the mapping rule is based on LDAP search filter syntax with templates "
+"to add certificate content to the filter. It is expected that the filter "
+"will only contain the specific data needed for the mapping and that the "
+"caller will embed it in another filter to do the actual search. Because of "
+"this the filter string should start and stop with '(' and ')' respectively."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:392
+msgid ""
+"In general it is recommended to use attributes from the certificate and add "
+"them to special attributes to the LDAP user object. E.g. the "
+"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute "
+"for IPA can be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:398
+msgid ""
+"This should be preferred to read user specific data from the certificate "
+"like e.g. an email address and search for it in the LDAP server. The reason "
+"is that the user specific data in LDAP might change for various reasons "
+"would break the mapping. On the other hand it would be hard to break the "
+"mapping on purpose for a specific user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:406
+msgid ""
+"The default <quote>mapping rule</quote> type is 'LDAP' which can be added as "
+"a prefix to a rule like e.g.  "
+"'LDAP:(userCertificate;binary={cert!bin})'. There is an extension called "
+"'LDAPU1' which offer more templates for more flexibility. To allow older "
+"versions of this library to ignore the extension the prefix 'LDAPU1' must be "
+"used when using the new templates in a <quote>mapping rule</quote> otherwise "
+"the old version of this library will fail with a parsing error. The new "
+"templates are described in section <xref linkend=\"map_ldapu1\"/>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:424
+msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:427
+msgid ""
+"This template will add the full issuer DN converted to a string according to "
+"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
+"the '_x500' prefix should be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:433 sss-certmap.5.xml:459
+msgid ""
+"The conversion options starting with 'ad_' will use attribute names as used "
+"by AD, e.g. 'S' instead of 'ST'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:437 sss-certmap.5.xml:463
+msgid ""
+"The conversion options starting with 'nss_' will use attribute names as used "
+"by NSS."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:441 sss-certmap.5.xml:467
+msgid ""
+"The default conversion option is 'nss', i.e. attribute names according to "
+"NSS and LDAP/RFC 4514 ordering."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:445
+msgid ""
+"Example: "
+"(ipacertmapdata=X509:&lt;I&gt;{issuer_dn!ad}&lt;S&gt;{subject_dn!ad})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:450
+msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:453
+msgid ""
+"This template will add the full subject DN converted to string according to "
+"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
+"the '_x500' prefix should be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:471
+msgid ""
+"Example: "
+"(ipacertmapdata=X509:&lt;I&gt;{issuer_dn!nss_x500}&lt;S&gt;{subject_dn!nss_x500})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:476
+msgid "{cert[!(bin|base64)]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:479
+msgid ""
+"This template will add the whole DER encoded certificate as a string to the "
+"search filter. Depending on the conversion option the binary certificate is "
+"either converted to an escaped hex sequence '\\xx' or base64.  The escaped "
+"hex sequence is the default and can e.g. be used with the LDAP attribute "
+"'userCertificate;binary'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:487
+msgid "Example: (userCertificate;binary={cert!bin})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:492
+msgid "{subject_principal[.short_name]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:495
+msgid ""
+"This template will add the Kerberos principal which is taken either from the "
+"SAN used by pkinit or the one used by AD. The 'short_name' component "
+"represents the first part of the principal before the '@' sign."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:501
+msgid ""
+"Example: "
+"(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:506
+msgid "{subject_pkinit_principal[.short_name]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:509
+msgid ""
+"This template will add the Kerberos principal which is given by the SAN used "
+"by pkinit. The 'short_name' component represents the first part of the "
+"principal before the '@' sign."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:515
+msgid ""
+"Example: "
+"(|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name}))"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:520
+msgid "{subject_nt_principal[.short_name]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:523
+msgid ""
+"This template will add the Kerberos principal which is given by the SAN used "
+"by AD. The 'short_name' component represent the first part of the principal "
+"before the '@' sign."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:529
+msgid ""
+"Example: "
+"(|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:534
+msgid "{subject_rfc822_name[.short_name]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:537
+msgid ""
+"This template will add the string which is stored in the rfc822Name "
+"component of the SAN, typically an email address. The 'short_name' component "
+"represents the first part of the address before the '@' sign."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:543
+msgid ""
+"Example: "
+"(|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name}))"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:548
+msgid "{subject_dns_name[.short_name]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:551
+msgid ""
+"This template will add the string which is stored in the dNSName component "
+"of the SAN, typically a fully-qualified host name.  The 'short_name' "
+"component represents the first part of the name before the first '.' sign."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:557
+msgid "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:562
+msgid "{subject_uri}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:565
+msgid ""
+"This template will add the string which is stored in the "
+"uniformResourceIdentifier component of the SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:569
+msgid "Example: (uri={subject_uri})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:574
+msgid "{subject_ip_address}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:577
+msgid ""
+"This template will add the string which is stored in the iPAddress component "
+"of the SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:581
+msgid "Example: (ip={subject_ip_address})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:586
+msgid "{subject_x400_address}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:589
+msgid ""
+"This template will add the value which is stored in the x400Address "
+"component of the SAN as escaped hex sequence."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:594
+msgid "Example: (attr:binary={subject_x400_address})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:599
+msgid "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:602
+msgid ""
+"This template will add the DN string of the value which is stored in the "
+"directoryName component of the SAN."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:606
+msgid "Example: (orig_dn={subject_directory_name})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:611
+msgid "{subject_ediparty_name}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:614
+msgid ""
+"This template will add the value which is stored in the ediPartyName "
+"component of the SAN as escaped hex sequence."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:619
+msgid "Example: (attr:binary={subject_ediparty_name})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:624
+msgid "{subject_registered_id}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:627
+msgid ""
+"This template will add the OID which is stored in the registeredID component "
+"of the SAN as a dotted-decimal string."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:632
+msgid "Example: (oid={subject_registered_id})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:417
+msgid ""
+"The templates to add certificate data to the search filter are based on "
+"Python-style formatting strings. They consist of a keyword in curly braces "
+"with an optional sub-component specifier separated by a '.' or an optional "
+"conversion/formatting option separated by a '!'.  Allowed values are: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><title>
+#: sss-certmap.5.xml:639
+msgid "LDAPU1 extension"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para>
+#: sss-certmap.5.xml:641
+msgid "The following templates are available when using the 'LDAPU1' extension:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:647
+msgid "{serial_number[!(dec|hex[_ucr])]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:650
+msgid ""
+"This template will add the serial number of the certificate. By default it "
+"will be printed as a hexadecimal number with lower-case letters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:655
+msgid ""
+"With the formatting option '!dec' the number will be printed as decimal "
+"string. The hexadecimal output can be printed with upper-case letters "
+"('!hex_u'), with a colon separating the hexadecimal bytes ('!hex_c') or with "
+"the hexadecimal bytes in reverse order ('!hex_r').  The postfix letters can "
+"be combined so that e.g.  '!hex_uc' will produce a colon-separated "
+"hexadecimal string with upper-case letters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:665
+msgid "Example: LDAPU1:(serial={serial_number})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:671
+msgid "{subject_key_id[!hex[_ucr]]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:674
+msgid ""
+"This template will add the subject key id of the certificate. By default it "
+"will be printed as a hexadecimal number with lower-case letters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:679
+msgid ""
+"The hexadecimal output can be printed with upper-case letters ('!hex_u'), "
+"with a colon separating the hexadecimal bytes ('!hex_c') or with the "
+"hexadecimal bytes in reverse order ('!hex_r').  The postfix letters can be "
+"combined so that e.g.  '!hex_uc' will produce a colon-separated hexadecimal "
+"string with upper-case letters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:688
+msgid "Example: LDAPU1:(ski={subject_key_id})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:694
+msgid "{cert[!DIGEST[_ucr]]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:697
+msgid ""
+"This template will add the hexadecimal digest/hash of the certificate where "
+"DIGEST must be replaced with the name of a digest/hash function supported by "
+"OpenSSL, e.g. 'sha512'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:703
+msgid ""
+"The hexadecimal output can be printed with upper-case letters ('!sha512_u'), "
+"with a colon separating the hexadecimal bytes ('!sha512_c') or with the "
+"hexadecimal bytes in reverse order ('!sha512_r'). The postfix letters can be "
+"combined so that e.g. '!sha512_uc' will produce a colon-separated "
+"hexadecimal string with upper-case letters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:712
+msgid "Example: LDAPU1:(dgst={cert!sha256})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:718
+msgid "{subject_dn_component[(.attr_name|[number]]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:721
+msgid ""
+"This template will add an attribute value of a component of the subject DN, "
+"by default the value of the most specific component."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:726
+msgid ""
+"A different component can be selected by either attribute name, "
+"e.g. {subject_dn_component.uid} or by position, "
+"e.g. {subject_dn_component.[2]} where positive numbers start counting from "
+"the most specific component and negative numbers start counting from the "
+"least specific component. Attribute name and the position can be combined as "
+"e.g.  {subject_dn_component.uid[2]} which means that the name of the second "
+"component must be 'uid'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:737
+msgid "Example: LDAPU1:(uid={subject_dn_component.uid})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:743
+msgid "{issuer_dn_component[(.attr_name|[number]]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:746
+msgid ""
+"This template will add an attribute value of a component of the issuer DN, "
+"by default the value of the most specific component."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:751
+msgid ""
+"See 'subject_dn_component' for details about the attribute name and position "
+"specifiers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:755
+msgid ""
+"Example: "
+"LDAPU1:(domain={issuer_dn_component.[-2]}.{issuer_dn_component.dc[-1]})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term>
+#: sss-certmap.5.xml:760
+msgid "{sid[.rid]}"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:763
+msgid ""
+"This template will add the SID if the corresponding extension introduced by "
+"Microsoft with the OID 1.3.6.1.4.1.311.25.2 is available. With the '.rid' "
+"selector only the last component, i.e. the RID, will be added."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para>
+#: sss-certmap.5.xml:770
+msgid "Example: LDAPU1:(objectsid={sid})"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sss-certmap.5.xml:779
+msgid "DOMAIN LIST"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss-certmap.5.xml:781
+msgid ""
+"If the domain list is not empty users mapped to a given certificate are not "
+"only searched in the local domain but in the listed domains as well as long "
+"as they are know by SSSD. Domains not know to SSSD will be ignored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
+msgid "sssd-ipa"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-ipa.5.xml:17
+msgid "SSSD IPA provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IPA provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:36
+msgid ""
+"The IPA provider is a back end used to connect to an IPA server.  (Refer to "
+"the freeipa.org web site for information about IPA servers.)  This provider "
+"requires that the machine be joined to the IPA domain; configuration is "
+"almost entirely self-discovered and obtained directly from the server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:43
+msgid ""
+"The IPA provider enables SSSD to use the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> identity provider and the <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> authentication provider with optimizations for IPA "
+"environments. The IPA provider accepts the same options used by the "
+"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is "
+"neither necessary nor recommended to set these options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:57
+msgid ""
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:62
+msgid ""
+"As an access provider, the IPA provider has a minimal configuration (see "
+"<quote>ipa_access_order</quote>) as it mainly uses HBAC (host-based access "
+"control) rules. Please refer to freeipa.org for more information about HBAC."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:68
+msgid ""
+"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is "
+"configured in sssd.conf then the id_provider must also be set to "
+"<quote>ipa</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:74
+msgid ""
+"The IPA provider will use the PAC responder if the Kerberos tickets of users "
+"from trusted realms contain a PAC. To make configuration easier the PAC "
+"responder is started automatically if the IPA ID provider is configured."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:90
+msgid "ipa_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:93
+msgid ""
+"Specifies the name of the IPA domain.  This is optional. If not provided, "
+"the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:101
+msgid "ipa_server, ipa_backup_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:104
+msgid ""
+"The comma-separated list of IP addresses or hostnames of the IPA servers to "
+"which SSSD should connect in the order of preference. For more information "
+"on failover and server redundancy, see the <quote>FAILOVER</quote> section.  "
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:117
+msgid "ipa_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:120
+msgid ""
+"Optional. May be set on machines where the hostname(5) does not reflect the "
+"fully qualified name used in the IPA domain to identify this host.  The "
+"hostname must be fully qualified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:129 sssd-ad.5.xml:1161
+msgid "dyndns_update (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:132
+msgid ""
+"Optional. This option tells SSSD to automatically update the DNS server "
+"built into FreeIPA with the IP address of this client. The update is secured "
+"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the "
+"updates, if it is not otherwise specified by using the "
+"<quote>dyndns_iface</quote> option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:141 sssd-ad.5.xml:1175
+msgid ""
+"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
+"the default Kerberos realm must be set properly in /etc/krb5.conf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:152 sssd-ad.5.xml:1186
+msgid "dyndns_ttl (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:155 sssd-ad.5.xml:1189
+msgid ""
+"The TTL to apply to the client DNS record when updating it.  If "
+"dyndns_update is false this has no effect. This will override the TTL "
+"serverside if set by an administrator."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:160
+msgid "Default: 1200 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:166 sssd-ad.5.xml:1200
+msgid "dyndns_iface (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:169 sssd-ad.5.xml:1203
+msgid ""
+"Optional. Applicable only when dyndns_update is true. Choose the interface "
+"or a list of interfaces whose IP addresses should be used for dynamic DNS "
+"updates. The name of interface can be a wildcard pattern prefixed with "
+"<emphasis>!</emphasis> for interface excluding. First match stops the "
+"evaluation. For example list <emphasis>!eth1, *</emphasis> instruct SSSD to "
+"use all interfaces except <emphasis>eth1</emphasis>.  See <emphasis>man 7 "
+"glob</emphasis> for details about patterns."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:182
+msgid ""
+"Default: Use the IP addresses of the interface which is used for IPA LDAP "
+"connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:186 sssd-ad.5.xml:1226
+msgid "Example: dyndns_iface = em[12], !vnet1, vnet*"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:192 sssd-ad.5.xml:1232
+msgid "dyndns_address (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:195 sssd-ad.5.xml:1235
+msgid ""
+"Optional. Applicable only when <emphasis>dyndns_update</emphasis> is true.  "
+"A list of IP addresses or IP networks to be used for dynamic DNS "
+"updates. Network addresses must be in CIDR format. An entry can be prefixed "
+"with <emphasis>!</emphasis> to indicate exclusion.  The <emphasis>best "
+"match</emphasis> is used to determine whether an address is included or "
+"excluded (i.e., a longer prefix takes precedence)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:206 sssd-ad.5.xml:1246
+msgid "Default: No filtering of IP addresses."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:209 sssd-ad.5.xml:1249
+msgid "Example: dyndns_address = 10.0.0.0/16, !10.0.1.0/24"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:215 sssd-ad.5.xml:1305
+msgid "dyndns_auth (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:218 sssd-ad.5.xml:1308
+msgid ""
+"Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+"updates with the DNS server, insecure updates can be sent by setting this "
+"option to 'none'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:224 sssd-ad.5.xml:1314
+msgid "Default: GSS-TSIG"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:230 sssd-ad.5.xml:1320
+msgid "dyndns_auth_ptr (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:233 sssd-ad.5.xml:1323
+msgid ""
+"Whether the nsupdate utility should use GSS-TSIG authentication for secure "
+"PTR updates with the DNS server, insecure updates can be sent by setting "
+"this option to 'none'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:239 sssd-ad.5.xml:1329
+msgid "Default: Same as dyndns_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:245 sssd-ad.5.xml:1255
+msgid "dyndns_refresh_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:248
+msgid ""
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:1273
+msgid "dyndns_update_ptr (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:264 sssd-ad.5.xml:1276
+msgid ""
+"Whether the PTR record should also be explicitly updated when updating the "
+"client's DNS records.  Applicable only when dyndns_update is true."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:269
+msgid ""
+"This option should be False in most IPA deployments as the IPA server "
+"generates the PTR records automatically when forward records are changed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:275 sssd-ad.5.xml:1281
+msgid ""
+"Note that <emphasis>dyndns_update_per_family</emphasis> parameter does not "
+"apply for PTR record updates.  Those updates are always sent separately."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:280
+msgid "Default: False (disabled)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:286 sssd-ad.5.xml:1292
+msgid "dyndns_force_tcp (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:1295
+msgid ""
+"Whether the nsupdate utility should default to using TCP for communicating "
+"with the DNS server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:293 sssd-ad.5.xml:1299
+msgid "Default: False (let nsupdate choose the protocol)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:299 sssd-ad.5.xml:1335
+msgid "dyndns_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:302 sssd-ad.5.xml:1338
+msgid ""
+"The DNS server to use when performing a DNS update. In most setups, it's "
+"recommended to leave this option unset."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:307 sssd-ad.5.xml:1343
+msgid ""
+"Setting this option makes sense for environments where the DNS server is "
+"different from the identity server or when we use encrypted DNS."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:312 sssd-ad.5.xml:1348
+msgid ""
+"The parameter can be a simple string containing DNS name or IP address. It "
+"can also be an URI.  The URI can look like "
+"<emphasis>dns://servername/</emphasis> or "
+"<emphasis>dns+tls://1.2.3.4:853#servername/</emphasis>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:319 sssd-ad.5.xml:1355
+msgid ""
+"The second example enables DNS-over-TLS protocol for DNS updates. The "
+"nsupdate utility must support DoT - check the <emphasis>man "
+"nsupdate</emphasis> before enabling it in SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:325 sssd-ad.5.xml:1361
+msgid ""
+"Please note that this option will be only used in fallback attempt when "
+"previous attempt using autodetected settings failed or when DNS-over-TLS is "
+"enabled."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:331 sssd-ad.5.xml:1367
+msgid "Default: None (let nsupdate choose the server)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:337 sssd-ad.5.xml:1373
+msgid "dyndns_update_per_family (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:340 sssd-ad.5.xml:1376
+msgid ""
+"DNS update is by default performed in two steps - IPv4 update and then IPv6 "
+"update. In some cases it might be desirable to perform IPv4 and IPv6 update "
+"in single step."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:352 sssd-ad.5.xml:1388
+msgid "dyndns_dot_cacert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:355 sssd-ad.5.xml:1391
+msgid ""
+"This option specifies the file of the certificate authorities certificates "
+"(in PEM format) in order to verify the remote server TLS certificate when "
+"using DoT."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:361 sssd-ad.5.xml:1397
+msgid "Default: None (use global certificate store)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:367 sssd-ad.5.xml:1403
+msgid "dyndns_dot_cert (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:370 sssd-ad.5.xml:1406
+msgid ""
+"This option sets the certificate(s) file for authentication for the DoT "
+"transport to the remote server. The certificate chain file is expected to be "
+"in PEM format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:376 sssd-ad.5.xml:1412
+msgid ""
+"The <emphasis>dyndns_dot_cert</emphasis> and "
+"<emphasis>dyndns_dot_key</emphasis> options must be both set to achieve "
+"mutual TLS authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:381 sssd-ipa.5.xml:396 sssd-ad.5.xml:1417 sssd-ad.5.xml:1432
+msgid "Default: None (Do not use TLS authentication)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:387 sssd-ad.5.xml:1423
+msgid "dyndns_dot_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:390 sssd-ad.5.xml:1426
+msgid ""
+"This option sets the key file for authenticated encryption for the DoT "
+"transport to the remote server. The private key file is expected to be in "
+"PEM format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:402
+msgid "ipa_access_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:409
+msgid "<emphasis>expire</emphasis>: use IPA's account expiration policy."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:448
+msgid ""
+"Please note that 'access_provider = ipa' must be set for this feature to "
+"work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:455
+msgid "ipa_deskprofile_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:458
+msgid ""
+"Optional. Use the given string as search base for Desktop Profile related "
+"objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:462 sssd-ipa.5.xml:484
+msgid "Default: Use base DN"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:468
+msgid "ipa_subid_ranges_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:471
+msgid "Deprecated. Use ldap_subid_ranges_search_base instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:477
+msgid "ipa_hbac_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:480
+msgid "Optional. Use the given string as search base for HBAC related objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:490
+msgid "ipa_host_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:493
+msgid "Deprecated. Use ldap_host_search_base instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:499
+msgid "ipa_selinux_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:502
+msgid "Optional. Use the given string as search base for SELinux user maps."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:518
+msgid "ipa_subdomains_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:521
+msgid "Optional. Use the given string as search base for trusted domains."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:530
+msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:537
+msgid "ipa_master_domain_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:540
+msgid "Optional. Use the given string as search base for master domain object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:549
+msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:556
+msgid "ipa_views_search_base (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:559
+msgid "Optional. Use the given string as search base for views containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:568
+msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:578
+msgid ""
+"The name of the Kerberos realm. This is optional and defaults to the value "
+"of <quote>ipa_domain</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:582
+msgid ""
+"The name of the Kerberos realm has a special meaning in IPA - it is "
+"converted into the base DN to use for performing LDAP operations."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:590 sssd-ad.5.xml:1441
+msgid "krb5_confd_path (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:593 sssd-ad.5.xml:1444
+msgid ""
+"Absolute path of a directory where SSSD should place Kerberos configuration "
+"snippets."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:597 sssd-ad.5.xml:1448
+msgid ""
+"To disable the creation of the configuration snippets set the parameter to "
+"'none'."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:601 sssd-ad.5.xml:1452
+msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:608
+msgid "ipa_deskprofile_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:611
+msgid ""
+"The amount of time between lookups of the Desktop Profile rules against the "
+"IPA server. This will reduce the latency and load on the IPA server if there "
+"are many desktop profiles requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:618 sssd-ipa.5.xml:648 sssd-ipa.5.xml:664 sssd-ad.5.xml:600
+msgid "Default: 5 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:624
+msgid "ipa_deskprofile_request_interval (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:627
+msgid ""
+"The amount of time between lookups of the Desktop Profile rules against the "
+"IPA server in case the last request did not return any rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:632
+msgid "Default: 60 (minutes)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:638
+msgid "ipa_hbac_refresh (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:641
+msgid ""
+"The amount of time between lookups of the HBAC rules against the IPA "
+"server. This will reduce the latency and load on the IPA server if there are "
+"many access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:654
+msgid "ipa_hbac_selinux (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:657
+msgid ""
+"The amount of time between lookups of the SELinux maps against the IPA "
+"server. This will reduce the latency and load on the IPA server if there are "
+"many user login requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:670
+msgid "ipa_server_mode (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:673
+msgid ""
+"This option will be set by the IPA installer (ipa-server-install) "
+"automatically and denotes if SSSD is running on an IPA server or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:678
+msgid ""
+"On an IPA server SSSD will lookup users and groups from trusted domains "
+"directly while on a client it will ask an IPA server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:683
+msgid ""
+"NOTE: There are currently some assumptions that must be met when SSSD is "
+"running on an IPA server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:688
+msgid ""
+"The <quote>ipa_server</quote> option must be configured to point to the IPA "
+"server itself. This is already the default set by the IPA installer, so no "
+"manual change is required."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:697
+msgid ""
+"The <quote>full_name_format</quote> option must not be tweaked to only print "
+"short names for users from trusted domains."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:712
+msgid "ipa_automount_location (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:715
+msgid "The automounter location this IPA client will be using"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:718
+msgid "Default: The location named \"default\""
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-ipa.5.xml:726
+msgid "VIEWS AND OVERRIDES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:735
+msgid "ipa_view_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:738
+msgid "Objectclass of the view container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:741
+msgid "Default: nsContainer"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:747
+msgid "ipa_view_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:750
+msgid "Name of the attribute holding the name of the view."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:754 sssd-ldap-attributes.5.xml:496
+#: sssd-ldap-attributes.5.xml:832 sssd-ldap-attributes.5.xml:913
+#: sssd-ldap-attributes.5.xml:1010 sssd-ldap-attributes.5.xml:1068
+#: sssd-ldap-attributes.5.xml:1226 sssd-ldap-attributes.5.xml:1271
+msgid "Default: cn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:760
+msgid "ipa_override_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:763
+msgid "Objectclass of the override objects."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:766
+msgid "Default: ipaOverrideAnchor"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:772
+msgid "ipa_anchor_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:775
+msgid ""
+"Name of the attribute containing the reference to the original object in a "
+"remote domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:779
+msgid "Default: ipaAnchorUUID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:785
+msgid "ipa_user_override_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:788
+msgid ""
+"Name of the objectclass for user overrides. It is used to determine if the "
+"found override object is related to a user or a group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:793
+msgid "User overrides can contain attributes given by"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:796
+msgid "ldap_user_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:799
+msgid "ldap_user_uid_number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:802
+msgid "ldap_user_gid_number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:805
+msgid "ldap_user_gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:808
+msgid "ldap_user_home_directory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:811
+msgid "ldap_user_shell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:814
+msgid "ldap_user_ssh_public_key"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:819
+msgid "Default: ipaUserOverride"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-ipa.5.xml:825
+msgid "ipa_group_override_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:828
+msgid ""
+"Name of the objectclass for group overrides. It is used to determine if the "
+"found override object is related to a user or a group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:833
+msgid "Group overrides can contain attributes given by"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:836
+msgid "ldap_group_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:839
+msgid "ldap_group_gid_number"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-ipa.5.xml:844
+msgid "Default: ipaGroupOverride"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ipa.5.xml:728
+msgid ""
+"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
+"later version. Since all paths and objectclasses are fixed on the server "
+"side there is basically no need to configure anything. For completeness the "
+"related options are listed here with their default values.  <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ipa.5.xml:856
+msgid "SUBDOMAINS PROVIDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:858
+msgid ""
+"The IPA subdomains provider behaves slightly differently if it is configured "
+"explicitly or implicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:862
+msgid ""
+"If the option 'subdomains_provider = ipa' is found in the domain section of "
+"sssd.conf, the IPA subdomains provider is configured explicitly, and all "
+"subdomain requests are sent to the IPA server if necessary."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:868
+msgid ""
+"If the option 'subdomains_provider' is not set in the domain section of "
+"sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains "
+"provider is configured implicitly. In this case, if a subdomain request "
+"fails and indicates that the server does not support subdomains, i.e. is not "
+"configured for trusts, the IPA subdomains provider is disabled. After an "
+"hour or after the IPA provider goes online, the subdomains provider is "
+"enabled again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ipa.5.xml:879
+msgid "TRUSTED DOMAINS CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:887
+#, no-wrap
+msgid ""
+"[domain/ipa.domain.com/ad.domain.com]\n"
+"ad_server = dc.ad.domain.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:881
+msgid ""
+"Some configuration options can also be set for a trusted domain.  A trusted "
+"domain configuration can be set using the trusted domain subsection as shown "
+"in the example below. Alternatively, the <quote>subdomain_inherit</quote> "
+"option can be used in the parent domain.  <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:892
+msgid ""
+"For more details, see the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:899
+msgid ""
+"Different configuration options are tunable for a trusted domain depending "
+"on whether you are configuring SSSD on an IPA server or an IPA client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-ipa.5.xml:904
+msgid "OPTIONS TUNABLE ON IPA MASTERS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ipa.5.xml:906
+msgid "The following options can be set in a subdomain section on an IPA master:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:910 sssd-ipa.5.xml:950
+msgid "ad_server"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:913
+msgid "ad_backup_server"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:916 sssd-ipa.5.xml:953
+msgid "ad_site"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:919
+msgid "ipa_server"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:922
+msgid "ipa_backup_server"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:925
+msgid "ldap_search_base"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:928
+msgid "ldap_user_search_base"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ipa.5.xml:931
+msgid "ldap_group_search_base"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ipa.5.xml:939
+msgid ""
+"Options prefixed with 'ad_' or 'ipa_' only apply to their respective "
+"subdomain type."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-ipa.5.xml:944
+msgid "OPTIONS TUNABLE ON IPA CLIENTS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ipa.5.xml:946
+msgid ""
+"The following options can be set in an AD subdomain section on an IPA "
+"client:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ipa.5.xml:958
+msgid ""
+"Note that if both options are set, only <quote>ad_server</quote> is "
+"evaluated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ipa.5.xml:962
+msgid ""
+"Since any request for a user or a group identity from a trusted domain "
+"triggered from an IPA client is resolved by the IPA server, the "
+"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect "
+"which AD DC will the authentication be performed against. In particular, the "
+"addresses resolved from these lists will be written to "
+"<quote>kdcinfo</quote> files read by the Kerberos locator plugin. Please "
+"refer to the <citerefentry> "
+"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the "
+"Kerberos locator plugin."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:986
+msgid ""
+"The following example assumes that SSSD is correctly configured and "
+"example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
+"section. This examples shows only the ipa provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ipa.5.xml:993
+#, no-wrap
+msgid ""
+"[domain/example.com]\n"
+"id_provider = ipa\n"
+"ipa_server = ipaserver.example.com\n"
+"ipa_hostname = myhost.example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ad.5.xml:10 sssd-ad.5.xml:16
+msgid "sssd-ad"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-ad.5.xml:17
+msgid "SSSD Active Directory provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:23
+msgid ""
+"This manual page describes the configuration of the AD provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:36
+msgid ""
+"The AD provider is a back end used to connect to an Active Directory "
+"server. This provider requires that the machine be joined to the AD domain "
+"and a keytab is available. Back end communication occurs over a "
+"GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD "
+"provider and will be superseded by Kerberos usage."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:44
+msgid ""
+"The AD provider supports connecting to Active Directory 2008 R2 or "
+"later. Earlier versions may work, but are unsupported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:48
+msgid ""
+"The AD provider can be used to get user information and authenticate users "
+"from trusted domains. Currently only trusted domains in the same forest are "
+"recognized. In addition servers from trusted domains are always "
+"auto-discovered."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:54
+msgid ""
+"The AD provider enables SSSD to use the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> identity provider and the <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> authentication provider with optimizations for Active "
+"Directory environments. The AD provider accepts the same options used by the "
+"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is "
+"neither necessary nor recommended to set these options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:69
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:74
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:79
+msgid ""
+"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is "
+"configured in sssd.conf then the id_provider must also be set to "
+"<quote>ad</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ad.5.xml:91
+#, no-wrap
+msgid ""
+"ldap_id_mapping = False\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:85
+msgid ""
+"By default, the AD provider will map UID and GID values from the objectSID "
+"parameter in Active Directory. For details on this, see the <quote>ID "
+"MAPPING</quote> section below. If you want to disable ID mapping and instead "
+"rely on POSIX attributes defined in Active Directory, you should set "
+"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should "
+"be used, it is recommended for performance reasons that the attributes are "
+"also replicated to the Global Catalog. If POSIX attributes are replicated, "
+"SSSD will attempt to locate the domain of a requested numerical ID with the "
+"help of the Global Catalog and only search that domain. In contrast, if "
+"POSIX attributes are not replicated to the Global Catalog, SSSD must search "
+"all the domains in the forest sequentially. Please note that the "
+"<quote>cache_first</quote> option might be also helpful in speeding up "
+"domainless searches.  Note that if only a subset of POSIX attributes is "
+"present in the Global Catalog, the non-replicated attributes are currently "
+"not read from the LDAP port."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:108
+msgid ""
+"Users, groups and other entities served by SSSD are always treated as "
+"case-insensitive in the AD provider for compatibility with Active "
+"Directory's LDAP implementation."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:113
+msgid ""
+"SSSD only resolves Active Directory Security Groups. For more information "
+"about AD group types see: <ulink "
+"url=\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups\"> "
+"Active Directory security groups</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:120
+msgid ""
+"SSSD filters out Domain Local groups from remote domains in the AD "
+"forest. By default they are filtered out e.g. when following a nested group "
+"hierarchy in remote domains because they are not valid in the local "
+"domain. This is done to be in agreement with Active Directory's "
+"group-membership assignment which can be seen in the PAC of the Kerberos "
+"ticket of a user issued by Active Directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:138
+msgid "ad_domain (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:141
+msgid ""
+"Specifies the name of the Active Directory domain.  This is optional. If not "
+"provided, the configuration domain name is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:146
+msgid ""
+"For proper operation, this option should be specified as the lower-case "
+"version of the long version of the Active Directory domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:151
+msgid ""
+"The short domain name (also known as the NetBIOS or the flat name) is "
+"autodetected by the SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:158
+msgid "ad_enabled_domains (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:161
+msgid ""
+"A comma-separated list of enabled Active Directory domains. If provided, "
+"SSSD will ignore any domains not listed in this option. If left unset, all "
+"discovered domains from the AD forest will be available."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:168
+msgid ""
+"During the discovery of the domains SSSD will filter out some domains where "
+"flags or attributes indicate that they do not belong to the local forest or "
+"are not trusted. If ad_enabled_domains is set, SSSD will try to enable all "
+"listed domains."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:179
+#, no-wrap
+msgid ""
+"ad_enabled_domains = sales.example.com, eng.example.com\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:175
+msgid ""
+"For proper operation, this option must be specified in all lower-case and as "
+"the fully qualified domain name of the Active Directory domain. For example: "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:183
+msgid ""
+"The short domain name (also known as the NetBIOS or the flat name) will be "
+"autodetected by SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:193
+msgid "ad_server, ad_backup_server (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:196
+msgid ""
+"The comma-separated list of hostnames of the AD servers to which SSSD should "
+"connect in order of preference. For more information on failover and server "
+"redundancy, see the <quote>FAILOVER</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:203
+msgid ""
+"This is optional if autodiscovery is enabled.  For more information on "
+"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:208
+msgid ""
+"Note: Trusted domains will always auto-discover servers even if the primary "
+"server is explicitly defined in the ad_server option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:216
+msgid "ad_hostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:219
+msgid ""
+"Optional. On machines where the hostname(5) does not reflect the fully "
+"qualified name, sssd will try to expand the short name. If it is not "
+"possible or the short name should be really used instead, set this parameter "
+"explicitly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:226
+msgid ""
+"This field is used to determine the host principal in use in the keytab and "
+"to perform dynamic DNS updates. It must match the hostname for which the "
+"keytab was issued."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:235
+msgid "ad_enable_dns_sites (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:238
+msgid "Enables DNS sites - location based service discovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:242
+msgid ""
+"If true and service discovery (see Service Discovery paragraph at the bottom "
+"of the man page)  is enabled, the SSSD will first attempt to discover the "
+"Active Directory server to connect to using the Active Directory Site "
+"Discovery and fall back to the DNS SRV records if no AD site is found. The "
+"DNS SRV configuration, including the discovery domain, is used during site "
+"discovery as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:258
+msgid "ad_access_filter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:261
+msgid ""
+"Specifies an LDAP access control filter that a user must match to gain "
+"access. The <quote>access_provider</quote> option must be explicitly set to "
+"<quote>ad</quote> for this option to take effect. If you want to use the "
+"<quote>ad_access_filter</quote> as the only access control scheme, you must "
+"disable GPO based access control (see option "
+"<quote>ad_gpo_access_control</quote> for details)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:270
+msgid ""
+"The option also supports specifying different filters per domain or "
+"forest. This extended filter would consist of: "
+"<quote>KEYWORD:NAME:FILTER</quote>.  The keyword can be either "
+"<quote>DOM</quote>, <quote>FOREST</quote> or missing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:278
+msgid ""
+"If the keyword equals to <quote>DOM</quote> or is missing, then "
+"<quote>NAME</quote> specifies the domain or subdomain the filter applies "
+"to.  If the keyword equals to <quote>FOREST</quote>, then the filter equals "
+"to all domains from the forest specified by <quote>NAME</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:286
+msgid ""
+"Multiple filters can be separated with the <quote>?</quote> character, "
+"similarly to how search bases work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:291
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full "
+"DOM:domain.example.org: syntax to ensure the parser does not attempt to "
+"interpret the colon characters associated with the OID. If you do not use "
+"this OID then nested group membership will not be resolved. See usage "
+"example below and refer here for further information about the OID: <ulink "
+"url=\"https://msdn.microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] "
+"section LDAP extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:304
+msgid ""
+"The most specific match is always used. For example, if the option specified "
+"filter for a domain the user is a member of and a global filter, the "
+"per-domain filter would be applied.  If there are more matches with the same "
+"specification, the first one is used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-ad.5.xml:315
+#, no-wrap
+msgid ""
+"# apply filter on domain called dom1 only:\n"
+"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
+"\n"
+"# apply filter on domain called dom2 only:\n"
+"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n"
+"\n"
+"# apply filter on forest called EXAMPLE.COM only:\n"
+"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:334
+msgid "ad_site (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:337
+msgid ""
+"Specify AD site to which client should try to connect.  If this option is "
+"not provided, the AD site will be auto-discovered."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:348
+msgid "ad_enable_gc (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:351
+msgid ""
+"By default, the SSSD connects to the Global Catalog first to retrieve users "
+"from trusted domains and uses the LDAP port to retrieve group memberships or "
+"as a fallback. Disabling this option makes the SSSD only connect to the LDAP "
+"port of the current AD server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:359
+msgid ""
+"Please note that disabling Global Catalog support does not disable "
+"retrieving users from trusted domains. The SSSD would connect to the LDAP "
+"port of trusted domains instead. However, Global Catalog must be used in "
+"order to resolve cross-domain group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:373
+msgid "ad_gpo_access_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:376
+msgid ""
+"This option specifies the operation mode for GPO-based access control "
+"functionality: whether it operates in disabled mode, enforcing mode, or "
+"permissive mode. Please note that the <quote>access_provider</quote> option "
+"must be explicitly set to <quote>ad</quote> in order for this option to have "
+"an effect."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:385
+msgid ""
+"GPO-based access control functionality uses GPO policy settings to determine "
+"whether or not a particular user is allowed to logon to the host.  For more "
+"information on the supported policy settings please refer to the "
+"<quote>ad_gpo_map</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:393
+msgid ""
+"Please note that current version of SSSD does not support Active Directory's "
+"built-in groups.  Built-in groups (such as Administrators with SID "
+"S-1-5-32-544) in GPO access control rules will be ignored by SSSD.  See "
+"upstream issue tracker https://github.com/SSSD/sssd/issues/5063 ."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:402
+msgid ""
+"Before performing access control SSSD applies group policy security "
+"filtering on the GPOs. For every single user login, the applicability of the "
+"GPOs that are linked to the host is checked. In order for a GPO to apply to "
+"a user, the user or at least one of the groups to which it belongs must have "
+"following permissions on the GPO:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:412
+msgid ""
+"Read: The user or one of its groups must have read access to the properties "
+"of the GPO (RIGHT_DS_READ_PROPERTY)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:419
+msgid ""
+"Apply Group Policy: The user or at least one of its groups must be allowed "
+"to apply the GPO (RIGHT_DS_CONTROL_ACCESS)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:427
+msgid ""
+"By default, the Authenticated Users group is present on a GPO and this group "
+"has both Read and Apply Group Policy access rights. Since authentication of "
+"a user must have been completed successfully before GPO security filtering "
+"and access control are started, the Authenticated Users group permissions on "
+"the GPO always apply also to the user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:436
+msgid ""
+"NOTE: If the operation mode is set to enforcing, it is possible that users "
+"that were previously allowed logon access will now be denied logon access "
+"(as dictated by the GPO policy settings). In order to facilitate a smooth "
+"transition for administrators, a permissive mode is available that will not "
+"enforce the access control rules, but will evaluate them and will output a "
+"syslog message if access would have been denied. By examining the logs, "
+"administrators can then make the necessary changes before setting the mode "
+"to enforcing. For logging GPO-based access control debug level 'trace "
+"functions' is required (see <citerefentry> "
+"<refentrytitle>sssctl</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> manual page)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:455
+msgid "There are three supported values for this option:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:459
+msgid "disabled: GPO-based access control rules are neither evaluated nor enforced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:465
+msgid "enforcing: GPO-based access control rules are evaluated and enforced."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:471
+msgid ""
+"permissive: GPO-based access control rules are evaluated, but not enforced.  "
+"Instead, a syslog message will be emitted indicating that the user would "
+"have been denied access if this option's value were set to enforcing."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:482
+msgid "Default: permissive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:485
+msgid "Default: enforcing"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:491
+msgid "ad_gpo_implicit_deny (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:494
+msgid ""
+"Normally when no applicable GPOs are found the users are allowed "
+"access. When this option is set to True users will be allowed access only "
+"when explicitly allowed by a GPO rule. Otherwise users will be denied "
+"access. This can be used to harden security but be careful when using this "
+"option because it can deny access even to users in the built-in "
+"Administrators group if no GPO rules apply to them."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:510
+msgid ""
+"The following 2 tables should illustrate when a user is allowed or rejected "
+"based on the allow and deny login rights defined on the server-side and the "
+"setting of ad_gpo_implicit_deny."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd-ad.5.xml:522
+msgid "ad_gpo_implicit_deny = False (default)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd-ad.5.xml:523 sssd-ad.5.xml:549
+msgid "allow-rules"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd-ad.5.xml:523 sssd-ad.5.xml:549
+msgid "deny-rules"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd-ad.5.xml:524 sssd-ad.5.xml:550
+msgid "results"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
+#: sssd-ad.5.xml:527 sssd-ad.5.xml:530 sssd-ad.5.xml:533 sssd-ad.5.xml:553
+#: sssd-ad.5.xml:556 sssd-ad.5.xml:559
+msgid "missing"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
+#: sssd-ad.5.xml:528
+msgid "all users are allowed"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry>
+#: sssd-ad.5.xml:530 sssd-ad.5.xml:533 sssd-ad.5.xml:536 sssd-ad.5.xml:556
+#: sssd-ad.5.xml:559 sssd-ad.5.xml:562
+msgid "present"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
+#: sssd-ad.5.xml:531
+msgid "only users not in deny-rules are allowed"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
+#: sssd-ad.5.xml:534 sssd-ad.5.xml:560
+msgid "only users in allow-rules are allowed"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
+#: sssd-ad.5.xml:537 sssd-ad.5.xml:563
+msgid "only users in allow-rules and not in deny-rules are allowed"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry>
+#: sssd-ad.5.xml:548
+msgid "ad_gpo_implicit_deny = True"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para>
+#: sssd-ad.5.xml:554 sssd-ad.5.xml:557
+msgid "no users are allowed"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:570
+msgid "ad_gpo_ignore_unreadable (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:573
+msgid ""
+"Normally when some group policy containers (AD object) of applicable group "
+"policy objects are not readable by SSSD then users are denied access.  This "
+"option allows to ignore group policy containers and with them associated "
+"policies if their attributes in group policy containers are not readable for "
+"SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:590
+msgid "ad_gpo_cache_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:593
+msgid ""
+"The amount of time between lookups of GPO policy files against the AD "
+"server. This will reduce the latency and load on the AD server if there are "
+"many access-control requests made in a short period."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:606
+msgid "ad_gpo_map_interactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:609
+msgid ""
+"A comma-separated list of PAM service names for which GPO-based access "
+"control is evaluated based on the InteractiveLogonRight and "
+"DenyInteractiveLogonRight policy settings.  Only those GPOs are evaluated "
+"for which the user has Read and Apply Group Policy permission (see option "
+"<quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains the "
+"deny interactive logon setting for the user or one of its groups, the user "
+"is denied local access.  If none of the evaluated GPOs has an interactive "
+"logon right defined, the user is granted local access. If at least one "
+"evaluated GPO contains interactive logon right settings, the user is granted "
+"local access only, if it or at least one of its groups is part of the policy "
+"settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:627
+msgid ""
+"Note: Using the Group Policy Management Editor this value is called \"Allow "
+"log on locally\" and \"Deny log on locally\"."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:641
+#, no-wrap
+msgid ""
+"ad_gpo_map_interactive = +my_pam_service, -login\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:632
+msgid ""
+"It is possible to add another PAM service name to the default set by using "
+"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+"the default set by using <quote>-service_name</quote>.  For example, in "
+"order to replace a default PAM service name for this logon right "
+"(e.g. <quote>login</quote>)  with a custom pam service name "
+"(e.g. <quote>my_pam_service</quote>), you would use the following "
+"configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:664
+msgid "gdm-fingerprint"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:684
+msgid "lightdm"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:689
+msgid "lxdm"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:694
+msgid "sddm"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:699
+msgid "unity"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:704
+msgid "xdm"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:713
+msgid "ad_gpo_map_remote_interactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:716
+msgid ""
+"A comma-separated list of PAM service names for which GPO-based access "
+"control is evaluated based on the RemoteInteractiveLogonRight and "
+"DenyRemoteInteractiveLogonRight policy settings.  Only those GPOs are "
+"evaluated for which the user has Read and Apply Group Policy permission (see "
+"option <quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains "
+"the deny remote logon setting for the user or one of its groups, the user is "
+"denied remote interactive access.  If none of the evaluated GPOs has a "
+"remote interactive logon right defined, the user is granted remote "
+"access. If at least one evaluated GPO contains remote interactive logon "
+"right settings, the user is granted remote access only, if it or at least "
+"one of its groups is part of the policy settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:735
+msgid ""
+"Note: Using the Group Policy Management Editor this value is called \"Allow "
+"log on through Remote Desktop Services\" and \"Deny log on through Remote "
+"Desktop Services\"."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:750
+#, no-wrap
+msgid ""
+"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:741
+msgid ""
+"It is possible to add another PAM service name to the default set by using "
+"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+"the default set by using <quote>-service_name</quote>.  For example, in "
+"order to replace a default PAM service name for this logon right "
+"(e.g. <quote>sshd</quote>)  with a custom pam service name "
+"(e.g. <quote>my_pam_service</quote>), you would use the following "
+"configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:758
+msgid "sshd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:763
+msgid "cockpit"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:772
+msgid "ad_gpo_map_network (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:775
+msgid ""
+"A comma-separated list of PAM service names for which GPO-based access "
+"control is evaluated based on the NetworkLogonRight and "
+"DenyNetworkLogonRight policy settings.  Only those GPOs are evaluated for "
+"which the user has Read and Apply Group Policy permission (see option "
+"<quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains the "
+"deny network logon setting for the user or one of its groups, the user is "
+"denied network logon access.  If none of the evaluated GPOs has a network "
+"logon right defined, the user is granted logon access. If at least one "
+"evaluated GPO contains network logon right settings, the user is granted "
+"logon access only, if it or at least one of its groups is part of the policy "
+"settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:793
+msgid ""
+"Note: Using the Group Policy Management Editor this value is called \"Access "
+"this computer from the network\" and \"Deny access to this computer from the "
+"network\"."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:808
+#, no-wrap
+msgid ""
+"ad_gpo_map_network = +my_pam_service, -ftp\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:799
+msgid ""
+"It is possible to add another PAM service name to the default set by using "
+"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+"the default set by using <quote>-service_name</quote>.  For example, in "
+"order to replace a default PAM service name for this logon right "
+"(e.g. <quote>ftp</quote>)  with a custom pam service name "
+"(e.g. <quote>my_pam_service</quote>), you would use the following "
+"configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:816
+msgid "ftp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:821
+msgid "samba"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:830
+msgid "ad_gpo_map_batch (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:833
+msgid ""
+"A comma-separated list of PAM service names for which GPO-based access "
+"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
+"policy settings.  Only those GPOs are evaluated for which the user has Read "
+"and Apply Group Policy permission (see option "
+"<quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains the "
+"deny batch logon setting for the user or one of its groups, the user is "
+"denied batch logon access.  If none of the evaluated GPOs has a batch logon "
+"right defined, the user is granted logon access. If at least one evaluated "
+"GPO contains batch logon right settings, the user is granted logon access "
+"only, if it or at least one of its groups is part of the policy settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:851
+msgid ""
+"Note: Using the Group Policy Management Editor this value is called \"Allow "
+"log on as a batch job\" and \"Deny log on as a batch job\"."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:865
+#, no-wrap
+msgid ""
+"ad_gpo_map_batch = +my_pam_service, -crond\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:856
+msgid ""
+"It is possible to add another PAM service name to the default set by using "
+"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+"the default set by using <quote>-service_name</quote>.  For example, in "
+"order to replace a default PAM service name for this logon right "
+"(e.g. <quote>crond</quote>)  with a custom pam service name "
+"(e.g. <quote>my_pam_service</quote>), you would use the following "
+"configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:868
+msgid "Note: Cron service name may differ depending on Linux distribution used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:874
+msgid "crond"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:883
+msgid "ad_gpo_map_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:886
+msgid ""
+"A comma-separated list of PAM service names for which GPO-based access "
+"control is evaluated based on the ServiceLogonRight and "
+"DenyServiceLogonRight policy settings.  Only those GPOs are evaluated for "
+"which the user has Read and Apply Group Policy permission (see option "
+"<quote>ad_gpo_access_control</quote>).  If an evaluated GPO contains the "
+"deny service logon setting for the user or one of its groups, the user is "
+"denied service logon access.  If none of the evaluated GPOs has a service "
+"logon right defined, the user is granted logon access. If at least one "
+"evaluated GPO contains service logon right settings, the user is granted "
+"logon access only, if it or at least one of its groups is part of the policy "
+"settings."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:904
+msgid ""
+"Note: Using the Group Policy Management Editor this value is called \"Allow "
+"log on as a service\" and \"Deny log on as a service\"."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:917
+#, no-wrap
+msgid ""
+"ad_gpo_map_service = +my_pam_service\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:909 sssd-ad.5.xml:984
+msgid ""
+"It is possible to add a PAM service name to the default set by using "
+"<quote>+service_name</quote>.  Since the default set is empty, it is not "
+"possible to remove a PAM service name from the default set.  For example, in "
+"order to add a custom pam service name (e.g. <quote>my_pam_service</quote>), "
+"you would use the following configuration: <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:927
+msgid "ad_gpo_map_permit (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:930
+msgid ""
+"A comma-separated list of PAM service names for which GPO-based access is "
+"always granted, regardless of any GPO Logon Rights."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:944
+#, no-wrap
+msgid ""
+"ad_gpo_map_permit = +my_pam_service, -sudo\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:935
+msgid ""
+"It is possible to add another PAM service name to the default set by using "
+"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
+"the default set by using <quote>-service_name</quote>.  For example, in "
+"order to replace a default PAM service name for unconditionally permitted "
+"access (e.g. <quote>sudo</quote>)  with a custom pam service name "
+"(e.g. <quote>my_pam_service</quote>), you would use the following "
+"configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:952
+msgid "polkit-1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:967
+msgid "systemd-user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:976
+msgid "ad_gpo_map_deny (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:979
+msgid ""
+"A comma-separated list of PAM service names for which GPO-based access is "
+"always denied, regardless of any GPO Logon Rights."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ad.5.xml:992
+#, no-wrap
+msgid ""
+"ad_gpo_map_deny = +my_pam_service\n"
+"                            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:1002
+msgid "ad_gpo_default_right (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1005
+msgid ""
+"This option defines how access control is evaluated for PAM service names "
+"that are not explicitly listed in one of the ad_gpo_map_* options. This "
+"option can be set in two different manners. First, this option can be set to "
+"use a default logon right. For example, if this option is set to "
+"'interactive', it means that unmapped PAM service names will be processed "
+"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy "
+"settings. Alternatively, this option can be set to either always permit or "
+"always deny access for unmapped PAM service names."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1018
+msgid "Supported values for this option include:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:1027
+msgid "remote_interactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:1032
+msgid "network"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:1037
+msgid "batch"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:1042
+msgid "service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:1047
+msgid "permit"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
+#: sssd-ad.5.xml:1052
+msgid "deny"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1058
+msgid "Default: deny"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:1064
+msgid "ad_maximum_machine_account_password_age (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1067
+msgid ""
+"SSSD will check once a day if the machine account password is older than the "
+"given age in days and try to renew it. A value of 0 will disable the renewal "
+"attempt."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1073
+msgid "Default: 30 days"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:1079
+msgid "ad_machine_account_password_renewal_opts (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1082
+msgid ""
+"This option should only be used to test the machine account renewal "
+"task. The option expects 3 integers and a string separated by a colon "
+"(':'). The first integer defines the interval in seconds how often the task "
+"is run. The second specifies the initial timeout in seconds before the task "
+"is run for the first time after startup. The optional third value specifies "
+"a maximal random offset to the previous two values to avoid updates of many "
+"hosts at the same time (\"thundering herd problem\"). If this value is "
+"missing or empty in the value string '0' will be used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1096
+msgid ""
+"The optional fourth string value identifies the helper binary which should "
+"be used for the renewal.  Currently <command>adcli</command> and "
+"<command>realm</command> are supported. If this value is missing or empty in "
+"the value string <command>realm</command> will be used. Since the helper is "
+"started as the user SSSD is running as there might be the chance that the "
+"renewal will fail if this user does not has permissions to modify the keytab "
+"file where the machine account credentials are stored. This will typically "
+"be the case for <command>adcli</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1110
+msgid ""
+"<command>realm</command> is not updating the keytab directly but is calling "
+"the <command>realmd</command> process, which runs as root user, for this "
+"task. <command>realmd</command> can allow access to non-privileged users "
+"with the help of PolicyKit and by default SSSD provides suitable rules for "
+"the user SSSD is running as."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1119
+msgid "Default: 86400:750:300:realm (24h, 12m30s and 5m)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:1125
+msgid "ad_update_samba_machine_account_password (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1128
+msgid ""
+"If enabled, when SSSD renews the machine account password, it will also be "
+"updated in Samba's database. This prevents Samba's copy of the machine "
+"account password from getting out of date when it is set up to use AD for "
+"authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ad.5.xml:1141
+msgid "ad_use_ldaps (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1144
+msgid ""
+"By default SSSD uses the plain LDAP port 389 and the Global Catalog port "
+"3628. If this option is set to True SSSD will use the LDAPS port 636 and "
+"Global Catalog port 3629 with LDAPS protection. Since AD does not allow to "
+"have multiple encryption layers on a single connection and we still want to "
+"use SASL/GSSAPI or SASL/GSS-SPNEGO for authentication the SASL security "
+"property maxssf is set to 0 (zero)  for those connections."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1164
+msgid ""
+"Optional. This option tells SSSD to automatically update the Active "
+"Directory DNS server with the IP address of this client. The update is "
+"secured using GSS-TSIG. As a consequence, the Active Directory administrator "
+"only needs to allow secure updates for the DNS zone. The IP address of the "
+"AD LDAP connection is used for the updates, if it is not otherwise specified "
+"by using the <quote>dyndns_iface</quote> option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1194
+msgid "Default: 3600 (seconds)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1216
+msgid ""
+"NOTE: While it is still possible to use the old "
+"<emphasis>ipa_dyndns_iface</emphasis> option, users should migrate to using "
+"<emphasis>dyndns_iface</emphasis> in their config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1222
+msgid ""
+"Default: Use the IP addresses of the interface which is used for AD LDAP "
+"connection"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:1258
+msgid ""
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:1472
+msgid ""
+"The following example assumes that SSSD is correctly configured and "
+"example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
+"section. This example shows only the AD provider-specific options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ad.5.xml:1479
+#, no-wrap
+msgid ""
+"[domain/EXAMPLE]\n"
+"id_provider = ad\n"
+"auth_provider = ad\n"
+"access_provider = ad\n"
+"chpass_provider = ad\n"
+"\n"
+"ad_server = dc1.example.com\n"
+"ad_hostname = client.example.com\n"
+"ad_domain = example.com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-ad.5.xml:1499
+#, no-wrap
+msgid ""
+"access_provider = ldap\n"
+"ldap_access_order = expire\n"
+"ldap_account_expire_policy = ad\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:1495
+msgid ""
+"The AD access control provider checks if the account is expired.  It has the "
+"same effect as the following configuration of the LDAP provider: "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:1505
+msgid ""
+"However, unless the <quote>ad</quote> access control provider is explicitly "
+"configured, the default access provider is <quote>permit</quote>. Please "
+"note that if you configure an access provider other than <quote>ad</quote>, "
+"you need to set all the connection parameters (such as LDAP URIs and "
+"encryption details) manually."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:1513
+msgid ""
+"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
+"attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
+"are included in the default Active Directory schema."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16
+msgid "sssd-sudo"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-sudo.5.xml:17
+msgid "Configuring sudo with the SSSD back end"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:23
+msgid ""
+"This manual page describes how to configure <citerefentry> "
+"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
+"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-sudo.5.xml:36
+msgid "Configuring sudo to cooperate with SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:38
+msgid ""
+"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to "
+"the <emphasis>sudoers</emphasis> entry in <citerefentry> "
+"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:47
+msgid ""
+"For example, to configure sudo to first lookup rules in the standard "
+"<citerefentry> <refentrytitle>sudoers</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> file (which should contain rules "
+"that apply to local users) and then in SSSD, the nsswitch.conf file should "
+"contain the following line:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-sudo.5.xml:57
+#, no-wrap
+msgid "sudoers: files sss\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:61
+msgid ""
+"More information about configuring the sudoers search order from the "
+"nsswitch.conf file as well as information about the LDAP schema that is used "
+"to store sudo rules in the directory can be found in <citerefentry> "
+"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:70
+msgid ""
+"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in "
+"sudo rules, you also need to correctly set <citerefentry> "
+"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> to your NIS domain name (which equals to IPA domain name "
+"when using hostgroups)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-sudo.5.xml:82
+msgid "Configuring SSSD to fetch sudo rules"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:84
+msgid ""
+"All configuration that is needed on SSSD side is to extend the list of "
+"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>. To speed up the LDAP lookups, you "
+"can also set search base for sudo rules using "
+"<emphasis>ldap_sudo_search_base</emphasis> option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:94
+msgid ""
+"The following example shows how to configure SSSD to download sudo rules "
+"from an LDAP server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-sudo.5.xml:99
+#, no-wrap
+msgid ""
+"[sssd]\n"
+"services = nss, pam, sudo\n"
+"domains = EXAMPLE\n"
+"\n"
+"[domain/EXAMPLE]\n"
+"id_provider = ldap\n"
+"sudo_provider = ldap\n"
+"ldap_uri = ldap://example.com\n"
+"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase "
+"condition=\"have_systemd\"> It's important to note that on platforms where "
+"systemd is supported there's no need to add the \"sudo\" provider to the "
+"list of services, as it became optional. However, sssd-sudo.socket must be "
+"enabled instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:117
+msgid ""
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree "
+"(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-sudo.5.xml:127
+msgid "The SUDO rule caching mechanism"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:129
+msgid ""
+"The biggest challenge, when developing sudo support in SSSD, was to ensure "
+"that running sudo with SSSD as the data source provides the same user "
+"experience and is as fast as sudo but keeps providing the most current set "
+"of rules as possible. To satisfy these requirements, SSSD uses three kinds "
+"of updates. They are referred to as full refresh, smart refresh and rules "
+"refresh."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:137
+msgid ""
+"The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
+"new or were modified after the last update. Its primary goal is to keep the "
+"database growing by fetching only small increments that do not generate "
+"large amounts of network traffic."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:143
+msgid ""
+"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
+"in the cache and replaces them with all rules that are stored on the "
+"server. This is used to keep the cache consistent by removing every rule "
+"which was deleted from the server. However, full refresh may produce a lot "
+"of traffic and thus it should be run only occasionally depending on the size "
+"and stability of the sudo rules."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:151
+msgid ""
+"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
+"more permission than defined. It is triggered each time the user runs "
+"sudo. Rules refresh will find all rules that apply to this user, check their "
+"expiration time and redownload them if expired.  In the case that any of "
+"these rules are missing on the server, the SSSD will do an out of band full "
+"refresh because more rules (that apply to other users) may have been "
+"deleted."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:160
+msgid ""
+"If enabled, SSSD will store only rules that can be applied to this "
+"machine. This means rules that contain one of the following values in "
+"<emphasis>sudoHost</emphasis> attribute:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+#: sssd-sudo.5.xml:167
+msgid "keyword ALL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+#: sssd-sudo.5.xml:172
+msgid "wildcard"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+#: sssd-sudo.5.xml:177
+msgid "netgroup (in the form \"+netgroup\")"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+#: sssd-sudo.5.xml:182
+msgid "hostname or fully qualified domain name of this machine"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+#: sssd-sudo.5.xml:187
+msgid "one of the IP addresses of this machine"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
+#: sssd-sudo.5.xml:192
+msgid "one of the IP addresses of the network (in the form \"address/mask\")"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:198
+msgid ""
+"There are many configuration options that can be used to adjust the "
+"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> and \"sudo_*\" in <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-sudo.5.xml:212
+msgid "Tuning the performance"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:214
+msgid ""
+"SSSD uses different kinds of mechanisms with more or less complex LDAP "
+"filters to keep the cached sudo rules up to date. The default configuration "
+"is set to values that should satisfy most of our users, but the following "
+"paragraphs contain few tips on how to fine- tune the configuration to your "
+"requirements."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:221
+msgid ""
+"1. <emphasis>Index LDAP attributes</emphasis>. Make sure that following LDAP "
+"attributes are indexed: objectClass, cn, entryUSN or modifyTimestamp."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:226
+msgid ""
+"2. <emphasis>Set ldap_sudo_search_base</emphasis>. Set the search base to "
+"the container that holds the sudo rules to limit the scope of the lookup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:231
+msgid ""
+"3. <emphasis>Set full and smart refresh interval</emphasis>. If your sudo "
+"rules do not change often and you do not require quick update of cached "
+"rules on your clients, you may consider increasing the "
+"<emphasis>ldap_sudo_full_refresh_interval</emphasis> and "
+"<emphasis>ldap_sudo_smart_refresh_interval</emphasis>. You may also consider "
+"disabling the smart refresh by setting "
+"<emphasis>ldap_sudo_smart_refresh_interval = 0</emphasis>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:240
+msgid ""
+"4. If you have large number of clients, you may consider increasing the "
+"value of <emphasis>ldap_sudo_random_offset</emphasis> to distribute the load "
+"on the server better."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-idp.5.xml:10 sssd-idp.5.xml:16
+msgid "sssd-idp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-idp.5.xml:17
+msgid "SSSD IdP provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-idp.5.xml:23
+msgid ""
+"This manual page describes the configuration of the IdP provider for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-idp.5.xml:36
+msgid ""
+"The IdP provider is a back end used to connect to an OAuth 2.0 and REST "
+"based identity provider (IdP). Since products might have individual "
+"implementation of the REST API for looking up user and group attributes "
+"dedicated code might be required, see the <quote>idp_type</quote> option for "
+"details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-idp.5.xml:43
+msgid ""
+"IdPs typically do not provide POSIX attributes like e.g.  user Id (UID) or "
+"home directory. SSSD's IdP provider will autogenerate the needed "
+"attributes. The default algorithm to generate user IDs (UIDs) and group IDs "
+"(GIDs) aims to create reproducible IDs on different systems. As a drawback "
+"it might happen that the algorithm assigns the same ID to different objects "
+"and only the first one requested via SSSD will be available."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:62
+msgid "idp_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:65
+msgid ""
+"Required option that specifies the IdP product.  Currently Entra ID "
+"(entra_id) and Keycloak (keycloak) are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:70
+msgid ""
+"Depending on the IdP product additional platform specific options might "
+"follow the name separated by a colon (:). E.g. for Keycloak the base URI for "
+"the user and group REST API must be given. For Entra ID this is not needed "
+"because there is a generic endpoint for all tenants."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:78 sssd-idp.5.xml:94 sssd-idp.5.xml:119
+msgid "Default: Not set (Required)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:83
+msgid "idp_client_id (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:86
+msgid ""
+"ID of the IdP client used by SSSD to authenticate users and as a client to "
+"lookup user and group attributes. This client must offer device "
+"authorization according to RFC-8628 and must have permissions to search and "
+"read user and group attributes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:99
+msgid "idp_client_secret (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:102
+msgid ""
+"Password of the IdP client. The password is required for the id_provider. If "
+"only used as auth_provider it depends on the server side configuration if it "
+"is required or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:113
+msgid "idp_token_endpoint (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:116
+msgid "IdP endpoint for requesting access tokens."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:124
+msgid "idp_device_auth_endpoint (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:127
+msgid ""
+"IdP endpoint for device authorization according to RFC-8628. This is "
+"required for user authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:137
+msgid "idp_userinfo_endpoint (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:140
+msgid ""
+"IdP userinfo endpoint to request user attributes after a successful "
+"authentication of the user.  Required for authentication."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:150
+msgid "idp_id_scope (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:153
+msgid ""
+"Scope required for looking up user and group attributes with the REST "
+"API. The scopes are used by the server to determine which attributes/claims "
+"are returned to the caller."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:164
+msgid "idp_auth_scope (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:167
+msgid ""
+"Scope required during authentication. The scopes are used by the server to "
+"determine which attributes/claims are returned to the caller."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:172
+msgid ""
+"Currently the tokens returned during user authentication are not used for "
+"other purposes hence the only important claim is the subject identifier "
+"'sub' which is used to check if the authenticated user is the one trying to "
+"log in.  This might change in future."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:185
+msgid "idp_request_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:188
+msgid "Timeout in seconds for an individual request to the IdP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:197
+msgid "idmap_range_min (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:200
+msgid ""
+"Specifies the lower (inclusive) bound of the range of POSIX IDs to use for "
+"mapping IdP users and group to POSIX IDs. It is the first POSIX ID which can "
+"be used for the mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:206
+msgid ""
+"The interval between <quote>idmap_range_min</quote> and "
+"<quote>idmap_range_max</quote> will be split into smaller ranges of size "
+"<quote>idmap_range_size</quote> which will be used by an individual IdP "
+"domain."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:213 sssd-idp.5.xml:239 include/ldap_id_mapping.xml:139
+#: include/ldap_id_mapping.xml:197
+msgid "Default: 200000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:218
+msgid "idmap_range_max (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:221
+msgid ""
+"Specifies the upper (exclusive) bound of the range of POSIX IDs to use for "
+"mapping IdP users and groups to POSIX IDs. It is the first POSIX ID which "
+"will not be used for POSIX ID-mapping anymore."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:227 include/ldap_id_mapping.xml:165
+msgid "Default: 2000200000"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-idp.5.xml:232
+msgid "idmap_range_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-idp.5.xml:235
+msgid "Specifies the number of POSIX IDs available for a single IdP domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-idp.5.xml:251
+#, no-wrap
+msgid ""
+"[domain/entra_id]\n"
+"id_provider = idp\n"
+"idp_type = entra_id\n"
+"idp_client_id = 12345678-abcd-0101-efef-ba9876543210\n"
+"idp_client_secret = YOUR-CLIENT-SCERET\n"
+"idp_token_endpoint = "
+"https://login.microsoftonline.com/TENNANT-ID/oauth2/v2.0/token\n"
+"idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me\n"
+"idp_device_auth_endpoint = "
+"https://login.microsoftonline.com/TENNANT-ID/oauth2/v2.0/devicecode\n"
+"idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default\n"
+"idp_auth_scope = openid profile email\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-idp.5.xml:263
+#, no-wrap
+msgid ""
+"[domain/keycloak]\n"
+"idp_type = "
+"keycloak:https://master.keycloak.test:8443/auth/admin/realms/master/\n"
+"id_provider = idp\n"
+"idp_client_id = myclient\n"
+"idp_client_secret = YOUR-CLIENT-SCERET\n"
+"idp_token_endpoint = "
+"https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/token\n"
+"idp_userinfo_endpoint = "
+"https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/userinfo\n"
+"idp_device_auth_endpoint = "
+"https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/auth/device\n"
+"idp_id_scope = profile\n"
+"idp_auth_scope = openid profile email\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-idp.5.xml:250
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <placeholder "
+"type=\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd.8.xml:10 sssd.8.xml:15
+msgid "sssd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd.8.xml:16
+msgid "System Security Services Daemon"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssd.8.xml:21
+msgid ""
+"<command>sssd</command> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:31
+msgid ""
+"<command>SSSD</command> provides a set of daemons to manage access to remote "
+"directories and authentication mechanisms. It provides an NSS and PAM "
+"interface toward the system and a pluggable backend system to connect to "
+"multiple different account sources as well as D-Bus interface. It is also "
+"the basis to provide client auditing and policy services for projects like "
+"FreeIPA. It provides a more robust database to store local users as well as "
+"extended user data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:46
+msgid ""
+"<option>-d</option>,<option>--debug-level</option> "
+"<replaceable>LEVEL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:53
+msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:57
+msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:60
+msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:69
+msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:73
+msgid "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:76
+msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:85
+msgid "<option>--logger=</option><replaceable>value</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:89
+msgid "Location where SSSD will send log messages."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:92
+msgid ""
+"<emphasis>stderr</emphasis>: Redirect debug messages to standard error "
+"output."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:96
+msgid ""
+"<emphasis>files</emphasis>: Redirect debug messages to the log files. By "
+"default, the log files are stored in <filename>/var/log/sssd</filename> and "
+"there are separate log files for every SSSD service and domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:102
+msgid "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:106
+msgid "Default: not set (fall back to journald if available, otherwise to stderr)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:113
+msgid "<option>-D</option>,<option>--daemon</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:117
+msgid "Become a daemon after starting up."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:123 sss_seed.8.xml:136
+msgid "<option>-i</option>,<option>--interactive</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:127
+msgid "Run in the foreground, don't become a daemon."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:133
+msgid "<option>-c</option>,<option>--config</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:137
+msgid ""
+"Specify a non-default config file. The default is "
+"<filename>/etc/sssd/sssd.conf</filename>. For reference on the config file "
+"syntax and options, consult the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:151
+msgid "<option>--version</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:155
+msgid "Print version number and exit."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:163
+msgid "Signals"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:166
+msgid "SIGTERM/SIGINT"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:169
+msgid ""
+"Informs the SSSD to gracefully terminate all of its child processes and then "
+"shut down the monitor."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:175
+msgid "SIGHUP"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:178
+msgid ""
+"Tells the SSSD to stop writing to its current debug file descriptors and to "
+"close and reopen them. This is meant to facilitate log rolling with programs "
+"like logrotate."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:186
+msgid "SIGUSR1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:189
+msgid ""
+"Tells the SSSD to simulate offline operation for the duration of the "
+"<quote>offline_timeout</quote> parameter. This is useful for testing. The "
+"signal can be sent to either the sssd process or any sssd_be process "
+"directly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:198
+msgid "SIGUSR2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:201
+msgid ""
+"Tells the SSSD to go online immediately. This is useful for testing. The "
+"signal can be sent to either the sssd process or any sssd_be process "
+"directly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:208
+msgid "SIGRTMIN+1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:211
+msgid ""
+"Tells the SSSD to reschedule the periodic tasks. The internal watchdog sends "
+"this signal to the providers when a clock shift is detected although it can "
+"be sent to any sssd_be process directly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd.8.xml:223 sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhosts.1.xml:116
+msgid "EXIT STATUS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:226
+msgid "0"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:229
+msgid "SSSD was shutdown gracefully."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refmeta><manvolnum>
+#: sssd.8.xml:234 sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhosts.1.xml:11
+msgid "1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:237
+msgid "Bad configuration or command line option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:242
+msgid "2"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:245
+msgid "Memory allocation error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:250
+msgid "6"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:253
+msgid "SSSD is already running."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd.8.xml:258
+msgid "Other codes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.8.xml:261
+msgid ""
+"Other codes denote different errors, most probably about missing required "
+"access rights. See SSSD and system logs for details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:272
+msgid ""
+"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
+"applications will not use the fast in-memory cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd.8.xml:276
+msgid ""
+"If the environment variable SSS_LOCKFREE is set to \"NO\", requests from "
+"multiple threads of a single application will be serialized."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
+msgid "sss_obfuscate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_obfuscate.8.xml:16
+msgid "obfuscate a clear text password"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_obfuscate.8.xml:21
+msgid ""
+"<command>sss_obfuscate</command> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg> <arg "
+"choice='plain'><replaceable>[PASSWORD]</replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:32
+msgid ""
+"<command>sss_obfuscate</command> converts a given password into "
+"human-unreadable format and places it into appropriate domain section of the "
+"SSSD config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:37
+msgid ""
+"The cleartext password is read from standard input or entered "
+"interactively.  The obfuscated password is put into "
+"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
+"<quote>ldap_default_authtok_type</quote> parameter is set to "
+"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more details on these parameters."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_obfuscate.8.xml:49
+msgid ""
+"Please note that obfuscating the password provides <emphasis>no real "
+"security benefit</emphasis> as it is still possible for an attacker to "
+"reverse-engineer the password back. Using better authentication mechanisms "
+"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
+"advised."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:63
+msgid "<option>-s</option>,<option>--stdin</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:67
+msgid "The password to obfuscate will be read from standard input."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127
+#: sss_ssh_knownhosts.1.xml:63
+msgid ""
+"<option>-d</option>,<option>--domain</option> "
+"<replaceable>DOMAIN</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:79
+msgid ""
+"The SSSD domain to use the password in. The default name is "
+"<quote>default</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_obfuscate.8.xml:86
+msgid "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:91
+msgid "Read the config file specified by the positional parameter."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_obfuscate.8.xml:95
+msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_override.8.xml:10 sss_override.8.xml:15
+msgid "sss_override"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_override.8.xml:16
+msgid "create local overrides of user and group attributes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_override.8.xml:21
+msgid ""
+"<command>sss_override</command> <arg "
+"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_override.8.xml:32
+msgid ""
+"<command>sss_override</command> enables to create a client-side view and "
+"allows to change selected values of specific user and groups. This change "
+"takes effect only on local machine."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_override.8.xml:37
+msgid ""
+"Overrides data are stored in the SSSD cache. If the cache is deleted, all "
+"local overrides are lost. Please note that after the first override is "
+"created using any of the following <emphasis>user-add</emphasis>, "
+"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or "
+"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to "
+"take effect.  <emphasis>sss_override</emphasis> prints message when a "
+"restart is required."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_override.8.xml:48
+msgid ""
+"<emphasis>NOTE:</emphasis> The options provided in this man page only work "
+"with <quote>ldap</quote> and <quote>AD</quote> <quote> "
+"id_provider</quote>. IPA overrides can be managed centrally on the IPA "
+"server."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_override.8.xml:56 sssctl.8.xml:41
+msgid "AVAILABLE COMMANDS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_override.8.xml:58
+msgid ""
+"Argument <emphasis>NAME</emphasis> is the name of original object in all "
+"commands. It is not possible to override <emphasis>uid</emphasis> or "
+"<emphasis>gid</emphasis> to 0."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:65
+msgid ""
+"<option>user-add</option> <emphasis>NAME</emphasis> "
+"<optional><option>-n,--name</option> NAME</optional> "
+"<optional><option>-u,--uid</option> UID</optional> "
+"<optional><option>-g,--gid</option> GID</optional> "
+"<optional><option>-h,--home</option> HOME</optional> "
+"<optional><option>-s,--shell</option> SHELL</optional> "
+"<optional><option>-c,--gecos</option> GECOS</optional> "
+"<optional><option>-x,--certificate</option> BASE64 ENCODED "
+"CERTIFICATE</optional>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:78
+msgid ""
+"Override attributes of an user. Please be aware that calling this command "
+"will replace any previous override for the (NAMEd) user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:86
+msgid "<option>user-del</option> <emphasis>NAME</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:91
+msgid ""
+"Remove user overrides. However be aware that overridden attributes might be "
+"returned from memory cache. Please see SSSD option "
+"<emphasis>memcache_timeout</emphasis> for more details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:100
+msgid ""
+"<option>user-find</option> <optional><option>-d,--domain</option> "
+"DOMAIN</optional>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:105
+msgid ""
+"List all users with set overrides.  If <emphasis>DOMAIN</emphasis> parameter "
+"is set, only users from the domain are listed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:113
+msgid "<option>user-show</option> <emphasis>NAME</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:118
+msgid "Show user overrides."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:124
+msgid "<option>user-import</option> <emphasis>FILE</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:129
+msgid ""
+"Import user overrides from <emphasis>FILE</emphasis>.  Data format is "
+"similar to standard passwd file.  The format is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:134
+msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:137
+msgid ""
+"where original_name is original name of the user whose attributes should be "
+"overridden. The rest of fields correspond to new values. You can omit a "
+"value simply by leaving corresponding field empty."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:146
+msgid "ckent:superman::::::"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:149
+msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:155
+msgid "<option>user-export</option> <emphasis>FILE</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:160
+msgid ""
+"Export all overridden attributes and store them in "
+"<emphasis>FILE</emphasis>. See <emphasis>user-import</emphasis> for data "
+"format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:168
+msgid ""
+"<option>group-add</option> <emphasis>NAME</emphasis> "
+"<optional><option>-n,--name</option> NAME</optional> "
+"<optional><option>-g,--gid</option> GID</optional>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:175
+msgid ""
+"Override attributes of a group. Please be aware that calling this command "
+"will replace any previous override for the (NAMEd) group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:183
+msgid "<option>group-del</option> <emphasis>NAME</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:188
+msgid ""
+"Remove group overrides. However be aware that overridden attributes might be "
+"returned from memory cache. Please see SSSD option "
+"<emphasis>memcache_timeout</emphasis> for more details."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:197
+msgid ""
+"<option>group-find</option> <optional><option>-d,--domain</option> "
+"DOMAIN</optional>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:202
+msgid ""
+"List all groups with set overrides.  If <emphasis>DOMAIN</emphasis> "
+"parameter is set, only groups from the domain are listed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:210
+msgid "<option>group-show</option> <emphasis>NAME</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:215
+msgid "Show group overrides."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:221
+msgid "<option>group-import</option> <emphasis>FILE</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:226
+msgid ""
+"Import group overrides from <emphasis>FILE</emphasis>.  Data format is "
+"similar to standard group file.  The format is:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:231
+msgid "original_name:name:gid"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:234
+msgid ""
+"where original_name is original name of the group whose attributes should be "
+"overridden. The rest of fields correspond to new values. You can omit a "
+"value simply by leaving corresponding field empty."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:243
+msgid "admins:administrators:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:246
+msgid "Domain Users:Users:501"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:252
+msgid "<option>group-export</option> <emphasis>FILE</emphasis>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_override.8.xml:257
+msgid ""
+"Export all overridden attributes and store them in "
+"<emphasis>FILE</emphasis>. See <emphasis>group-import</emphasis> for data "
+"format."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_override.8.xml:267 sssctl.8.xml:50
+msgid "COMMON OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_override.8.xml:269 sssctl.8.xml:52
+msgid "Those options are available with all commands."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_override.8.xml:274 sssctl.8.xml:57
+msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
+msgid "sssd-krb5"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-krb5.5.xml:17
+msgid "SSSD Kerberos provider"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Kerberos 5 "
+"authentication backend for <citerefentry> "
+"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, please refer to the "
+"<quote>FILE FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:36
+msgid ""
+"The Kerberos 5 authentication backend contains auth and chpass providers. It "
+"must be paired with an identity provider in order to function properly (for "
+"example, id_provider = ldap). Some information required by the Kerberos 5 "
+"authentication backend must be provided by the identity provider, such as "
+"the user's Kerberos Principal Name (UPN). The configuration of the identity "
+"provider should have an entry to specify the UPN. Please refer to the man "
+"page for the applicable identity provider for details on how to configure "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:47
+msgid ""
+"This backend also provides access control based on the .k5login file in the "
+"home directory of the user. See <citerefentry> "
+"<refentrytitle>k5login</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry> for more details. Please note that an empty .k5login file "
+"will deny all access to this user. To activate this feature, use "
+"'access_provider = krb5' in your SSSD configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:55
+msgid ""
+"In the case where the UPN is not available in the identity backend, "
+"<command>sssd</command> will construct a UPN using the format "
+"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:77
+msgid ""
+"Specifies the comma-separated list of IP addresses or hostnames of the "
+"Kerberos servers to which SSSD should connect, in the order of "
+"preference. For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
+"colon) may be appended to the addresses or hostnames.  If empty, service "
+"discovery is enabled; for more information, refer to the <quote>SERVICE "
+"DISCOVERY</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:106
+msgid ""
+"The name of the Kerberos realm. This option is required and must be "
+"specified."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:113
+msgid "krb5_kpasswd, krb5_backup_kpasswd (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:116
+msgid ""
+"If the change password service is not running on the KDC, alternative "
+"servers can be defined here. An optional port number (preceded by a colon) "
+"may be appended to the addresses or hostnames."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:122
+msgid ""
+"For more information on failover and server redundancy, see the "
+"<quote>FAILOVER</quote> section.  NOTE: Even if there are no more kpasswd "
+"servers to try, the backend is not switched to operate offline if "
+"authentication against the KDC is still possible."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:129
+msgid "Default: Use the KDC"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:135
+msgid "krb5_ccachedir (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:138
+msgid ""
+"Directory to store credential caches. All the substitution sequences of "
+"krb5_ccname_template can be used here, too, except %d and %P.  The directory "
+"is created as private and owned by the user, with permissions set to 0700."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:145
+msgid "Default: /tmp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:151
+msgid "krb5_ccname_template (string)"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:165 include/override_homedir.xml:11
+msgid "%u"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:166 include/override_homedir.xml:12
+msgid "login name"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:169 include/override_homedir.xml:15
+msgid "%U"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:170
+msgid "login UID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:173
+msgid "%p"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:174
+msgid "principal name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:178
+msgid "%r"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:179
+msgid "realm name"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:182 include/override_homedir.xml:53
+msgid "%h"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:128
+msgid "home directory"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:187 include/override_homedir.xml:19
+msgid "%d"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:188
+msgid "value of krb5_ccachedir"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:193 include/override_homedir.xml:31
+msgid "%P"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:194
+msgid "the process ID of the SSSD client"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:199 include/override_homedir.xml:68
+msgid "%%"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:200 include/override_homedir.xml:69
+msgid "a literal '%'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:154
+msgid ""
+"Location of the user's credential cache. Three credential cache types are "
+"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and "
+"<quote>KEYRING:persistent</quote>. The cache can be specified either as "
+"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which "
+"implies the <quote>FILE</quote> type. In the template, the following "
+"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If "
+"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique "
+"filename in a safe way."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:208
+msgid ""
+"When using KEYRING types, the only supported mechanism is "
+"<quote>KEYRING:persistent:%U</quote>, which uses the Linux kernel keyring to "
+"store credentials on a per-UID basis. This is also the recommended choice, "
+"as it is the most secure and predictable method."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:216
+msgid ""
+"The default value for the credential cache name is sourced from the profile "
+"stored in the system wide krb5.conf configuration file in the [libdefaults] "
+"section. The option name is default_ccache_name.  See krb5.conf(5)'s "
+"PARAMETER EXPANSION paragraph for additional information on the expansion "
+"format defined by krb5.conf."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:225
+msgid ""
+"NOTE: Please be aware that libkrb5 ccache expansion template from "
+"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> uses different expansion sequences "
+"than SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:234
+msgid "Default: (from libkrb5)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:240
+msgid "krb5_keytab (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:243
+msgid ""
+"The location of the keytab to use when validating credentials obtained from "
+"KDCs."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:253
+msgid "krb5_store_password_if_offline (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:256
+msgid ""
+"Store the password of the user if the provider is offline and use it to "
+"request a TGT when the provider comes online again."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:261
+msgid ""
+"NOTE: this feature is only available on Linux.  Passwords stored in this way "
+"are kept in plaintext in the kernel keyring and are potentially accessible "
+"by the root user (with difficulty)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:274
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:277
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos "
+"pre-authentication. The following options are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:282
+msgid ""
+"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this "
+"option at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:286
+msgid ""
+"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
+"continue the authentication without it."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:291
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:296
+msgid "Default: not set, i.e. FAST is not used."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:299
+msgid "NOTE: a keytab or support for anonymous PKINIT is required to use FAST."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:303
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:312
+msgid "krb5_fast_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:315
+msgid "Specifies the server principal to use for FAST."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:321
+msgid "krb5_fast_use_anonymous_pkinit (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:324
+msgid ""
+"If set to true try to use anonymous PKINIT instead of a keytab to get the "
+"required credential for FAST. The krb5_fast_principal options is ignored in "
+"this case."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:364
+msgid "krb5_kdcinfo_lookahead (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:367
+msgid ""
+"When krb5_use_kdcinfo is set to true, you can limit the amount of servers "
+"handed to <citerefentry> "
+"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>.  This might be helpful when there "
+"are too many servers discovered using SRV record."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:377
+msgid ""
+"The krb5_kdcinfo_lookahead option contains two numbers separated by a "
+"colon. The first number represents number of primary servers used and the "
+"second number specifies the number of backup servers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:383
+msgid ""
+"For example <emphasis>10:0</emphasis> means that up to 10 primary servers "
+"will be handed to <citerefentry> "
+"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> but no backup servers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:392
+msgid "Default: 3:1"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:398
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:401
+msgid ""
+"Specifies if the user principal should be treated as enterprise "
+"principal. See section 5 of RFC 6806 for more details about enterprise "
+"principals."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:407
+msgid "Default: false (AD provider: true)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:410
+msgid ""
+"The IPA provider will set to option to 'true' if it detects that the server "
+"is capable of handling enterprise principals and the option is not set "
+"explicitly in the config file."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:419
+msgid "krb5_use_subdomain_realm (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:422
+msgid ""
+"Specifies to use subdomains realms for the authentication of users from "
+"trusted domains. This option can be set to 'true' if enterprise principals "
+"are used with upnSuffixes which are not known on the parent domain KDCs. If "
+"the option is set to 'true' SSSD will try to send the request directly to a "
+"KDC of the trusted domain the user is coming from."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:438
+msgid "krb5_map_user (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:441
+msgid ""
+"The list of mappings is given as a comma-separated list of pairs "
+"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
+"name and <quote>primary</quote> is a user part of a kerberos principal. This "
+"mapping is used when user is authenticating using <quote>auth_provider = "
+"krb5</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-krb5.5.xml:453
+#, no-wrap
+msgid ""
+"krb5_realm = REALM\n"
+"krb5_map_user = joe:juser,dick:richard\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:458
+msgid ""
+"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
+"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
+"principals. For user <quote>joe</quote> resp.  <quote>dick</quote> SSSD will "
+"try to kinit as <quote>juser@REALM</quote> resp.  "
+"<quote>richard@REALM</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:65
+msgid ""
+"If the auth-module krb5 is used in an SSSD domain, the following options "
+"must be used. See the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>, for "
+"details on the configuration of an SSSD domain.  <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-krb5.5.xml:485
+msgid ""
+"The following example assumes that SSSD is correctly configured and FOO is "
+"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
+"example shows only configuration of Kerberos authentication; it does not "
+"include any identity provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-krb5.5.xml:493
+#, no-wrap
+msgid ""
+"[domain/FOO]\n"
+"auth_provider = krb5\n"
+"krb5_server = 192.168.1.1\n"
+"krb5_realm = EXAMPLE.COM\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_cache.8.xml:10 sss_cache.8.xml:15
+msgid "sss_cache"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_cache.8.xml:16
+msgid "perform cache cleanup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_cache.8.xml:21
+msgid ""
+"<command>sss_cache</command> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_cache.8.xml:31
+msgid ""
+"<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
+"records are forced to be reloaded from server as soon as related SSSD "
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:43
+msgid "<option>-E</option>,<option>--everything</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:47
+msgid "Invalidate all cached entries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:53
+msgid "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:58
+msgid "Invalidate specific user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:64
+msgid "<option>-U</option>,<option>--users</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:68
+msgid ""
+"Invalidate all user records. This option overrides invalidation of specific "
+"user if it was also set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:75
+msgid ""
+"<option>-g</option>,<option>--group</option> "
+"<replaceable>group</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:80
+msgid "Invalidate specific group."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:86
+msgid "<option>-G</option>,<option>--groups</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:90
+msgid ""
+"Invalidate all group records. This option overrides invalidation of specific "
+"group if it was also set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:97
+msgid ""
+"<option>-n</option>,<option>--netgroup</option> "
+"<replaceable>netgroup</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:102
+msgid "Invalidate specific netgroup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:108
+msgid "<option>-N</option>,<option>--netgroups</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:112
+msgid ""
+"Invalidate all netgroup records. This option overrides invalidation of "
+"specific netgroup if it was also set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:119
+msgid ""
+"<option>-s</option>,<option>--service</option> "
+"<replaceable>service</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:124
+msgid "Invalidate specific service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:130
+msgid "<option>-S</option>,<option>--services</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:134
+msgid ""
+"Invalidate all service records. This option overrides invalidation of "
+"specific service if it was also set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:141
+msgid ""
+"<option>-a</option>,<option>--autofs-map</option> "
+"<replaceable>autofs-map</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:146
+msgid "Invalidate specific autofs maps."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:152
+msgid "<option>-A</option>,<option>--autofs-maps</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:156
+msgid ""
+"Invalidate all autofs maps. This option overrides invalidation of specific "
+"map if it was also set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:163
+msgid ""
+"<option>-h</option>,<option>--ssh-host</option> "
+"<replaceable>hostname</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:168
+msgid "Invalidate SSH public keys of a specific host."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:174
+msgid "<option>-H</option>,<option>--ssh-hosts</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:178
+msgid ""
+"Invalidate SSH public keys of all hosts. This option overrides invalidation "
+"of SSH public keys of specific host if it was also set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:186
+msgid ""
+"<option>-r</option>,<option>--sudo-rule</option> "
+"<replaceable>rule</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:191
+msgid "Invalidate particular sudo rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:197
+msgid "<option>-R</option>,<option>--sudo-rules</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:201
+msgid ""
+"Invalidate all cached sudo rules. This option overrides invalidation of "
+"specific sudo rule if it was also set."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_cache.8.xml:209
+msgid ""
+"<option>-d</option>,<option>--domain</option> "
+"<replaceable>domain</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_cache.8.xml:214
+msgid "Restrict invalidation process only to a particular domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_cache.8.xml:224
+msgid "EFFECTS ON THE FAST MEMORY CACHE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_cache.8.xml:226
+msgid ""
+"<command>sss_cache</command> also invalidates the memory cache.  Since the "
+"memory cache is a file which is mapped into the memory of each process which "
+"called SSSD to resolve users or groups the file cannot be truncated. A "
+"special flag is set in the header of the file to indicate that the content "
+"is invalid and then the file is unlinked by SSSD's NSS responder and a new "
+"cache file is created.  Whenever a process is now doing a new lookup for a "
+"user or a group it will see the flag, close the old memory cache file and "
+"map the new one into its memory. When all processes which had opened the old "
+"memory cache file have closed it while looking up a user or a group the "
+"kernel can release the occupied disk space and the old memory cache file is "
+"finally removed completely."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_cache.8.xml:240
+msgid ""
+"A special case is long running processes which are doing user or group "
+"lookups only at startup, e.g. to determine the name of the user the process "
+"is running as. For those lookups the memory cache file is mapped into the "
+"memory of the process. But since there will be no further lookups this "
+"process would never detect if the memory cache file was invalidated and "
+"hence it will be kept in memory and will occupy disk space until the process "
+"stops. As a result calling <command>sss_cache</command> might increase the "
+"disk usage because old memory cache files cannot be removed from the disk "
+"because they are still mapped by long running processes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_cache.8.xml:252
+msgid ""
+"A possible work-around for long running processes which are looking up users "
+"and groups only at startup or very rarely is to run them with the "
+"environment variable SSS_NSS_USE_MEMCACHE set to \"NO\" so that they won't "
+"use the memory cache at all and not map the memory cache file into the "
+"memory. In general a better solution is to tune the cache timeout parameters "
+"so that they meet the local expectations and calling "
+"<command>sss_cache</command> is not needed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15
+msgid "sss_debuglevel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_debuglevel.8.xml:16
+msgid "[DEPRECATED] change debug level while SSSD is running"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_debuglevel.8.xml:21
+msgid ""
+"<command>sss_debuglevel</command> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg> <arg "
+"choice='plain'><replaceable>NEW_DEBUG_LEVEL</replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_debuglevel.8.xml:32
+msgid ""
+"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl "
+"debug-level command. Please refer to the <command>sssctl</command> man page "
+"for more information on sssctl usage."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_seed.8.xml:10 sss_seed.8.xml:15
+msgid "sss_seed"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_seed.8.xml:16
+msgid "seed the SSSD cache with a user"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_seed.8.xml:21
+msgid ""
+"<command>sss_seed</command> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg> <arg choice='plain'>-D "
+"<replaceable>DOMAIN</replaceable></arg> <arg choice='plain'>-n "
+"<replaceable>USER</replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_seed.8.xml:33
+msgid ""
+"<command>sss_seed</command> seeds the SSSD cache with a user entry and "
+"temporary password. If a user entry is already present in the SSSD cache "
+"then the entry is updated with the temporary password."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:46
+msgid ""
+"<option>-D</option>,<option>--domain</option> "
+"<replaceable>DOMAIN</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:51
+msgid ""
+"Provide the name of the domain in which the user is a member of. The domain "
+"is also used to retrieve user information. The domain must be configured in "
+"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided.  "
+"Information retrieved from the domain overrides what is provided in the "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:63
+msgid ""
+"<option>-n</option>,<option>--username</option> "
+"<replaceable>USER</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:68
+msgid ""
+"The username of the entry to be created or modified in the cache. The "
+"<replaceable>USER</replaceable> option must be provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:76
+msgid "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:81
+msgid "Set the UID of the user to <replaceable>UID</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:88
+msgid "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:93
+msgid "Set the GID of the user to <replaceable>GID</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:100
+msgid ""
+"<option>-c</option>,<option>--gecos</option> "
+"<replaceable>COMMENT</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:105
+msgid ""
+"Any text string describing the user. Often used as the field for the user's "
+"full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:112
+msgid ""
+"<option>-h</option>,<option>--home</option> "
+"<replaceable>HOME_DIR</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:117
+msgid "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:124
+msgid ""
+"<option>-s</option>,<option>--shell</option> "
+"<replaceable>SHELL</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:129
+msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:140
+msgid ""
+"Interactive mode for entering user information. This option will only prompt "
+"for information not provided in the options or retrieved from the domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_seed.8.xml:148
+msgid ""
+"<option>-p</option>,<option>--password-file</option> "
+"<replaceable>PASS_FILE</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_seed.8.xml:153
+msgid ""
+"Specify file to read user's password from. (if not specified password is "
+"prompted for)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_seed.8.xml:165
+msgid ""
+"The length of the password (or the size of file specified with -p or "
+"--password-file option) must be less than or equal to PASS_MAX bytes (64 "
+"bytes on systems with no globally-defined PASS_MAX value)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16
+msgid "sssd-ifp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-ifp.5.xml:17
+msgid "SSSD InfoPipe responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ifp.5.xml:23
+msgid ""
+"This manual page describes the configuration of the InfoPipe responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ifp.5.xml:36
+msgid ""
+"The InfoPipe responder provides a public D-Bus interface accessible over the "
+"system bus. The interface allows the user to query information about remote "
+"users and groups over the system bus."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-ifp.5.xml:43
+msgid "FIND BY VALID CERTIFICATE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ifp.5.xml:45
+msgid ""
+"The following options can be used to control how the certificates are "
+"validated when using the FindByValidCertificate() API:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92
+msgid "ca_db"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ifp.5.xml:49 sss_ssh_authorizedkeys.1.xml:93
+msgid "p11_child_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
+#: sssd-ifp.5.xml:50 sss_ssh_authorizedkeys.1.xml:94
+msgid "certificate_verification"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-ifp.5.xml:52
+msgid ""
+"For more details about the options see "
+"<citerefentry><refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ifp.5.xml:62
+msgid "These options can be used to configure the InfoPipe responder."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:69
+msgid ""
+"Specifies the comma-separated list of UID values or user names that are "
+"allowed to access the InfoPipe responder. User names are resolved to UIDs at "
+"startup."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:75
+msgid "Default: 0 (only the root user is allowed to access the InfoPipe responder)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:79
+msgid ""
+"Please note that although the UID 0 is used as the default it will be "
+"overwritten with this option. If you still want to allow the root user to "
+"access the InfoPipe responder, which would be the typical case, you have to "
+"add 0 to the list of allowed UIDs as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:93
+msgid ""
+"Specifies the comma-separated list of white or blacklisted attributes. This "
+"option only applies to the <quote>Users</quote> interface. The deprecated "
+"<quote>GetUserAttr</quote> interface does not utilize this option, it allows "
+"any attribute requested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-ifp.5.xml:111
+msgid "name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:112
+msgid "user's login name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-ifp.5.xml:115
+msgid "uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:116
+msgid "user ID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-ifp.5.xml:119
+msgid "gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:120
+msgid "primary group ID"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-ifp.5.xml:123
+msgid "gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:124
+msgid "user information, typically full name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-ifp.5.xml:127
+msgid "homeDirectory"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-ifp.5.xml:131
+msgid "loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:132
+msgid "user shell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:101
+msgid ""
+"By default, the InfoPipe responder `/Users` interface only allows the "
+"default set of POSIX attributes to be requested. This set is the same as "
+"returned by <citerefentry> <refentrytitle>getpwnam</refentrytitle> "
+"<manvolnum>3</manvolnum> </citerefentry> and includes: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-ifp.5.xml:147
+#, no-wrap
+msgid ""
+"user_attributes = +telephoneNumber, -loginShell\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:137
+msgid ""
+"It is possible to add another attribute to this set by using "
+"<quote>+attr_name</quote> or explicitly remove an attribute using "
+"<quote>-attr_name</quote>. Added attributes will be made available in the "
+"<quote>extraAttributes</quote> array. For example, to allow "
+"<quote>telephoneNumber</quote> but deny <quote>loginShell</quote>, you would "
+"use the following configuration: <placeholder type=\"programlisting\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:151
+msgid "Default: not set. Only the default set of POSIX attributes is allowed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:161
+msgid ""
+"Specifies an upper limit on the number of entries that are downloaded during "
+"a wildcard lookup that overrides caller-supplied limit."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ifp.5.xml:166
+msgid "Default: 0 (let the caller set an upper limit)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refentryinfo>
+#: sss_rpcidmapd.5.xml:8
+msgid ""
+"<productname>sss rpc.idmapd plugin</productname> <author> "
+"<firstname>Noam</firstname> <surname>Meltzer</surname> <affiliation> "
+"<orgname>Primary Data Inc.</orgname> </affiliation> <contrib>Developer "
+"(2013-2014)</contrib> </author> <author> <firstname>Noam</firstname> "
+"<surname>Meltzer</surname> <contrib>Developer (2014-)</contrib> "
+"<email>tsnoam@gmail.com</email> </author>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32
+msgid "sss_rpcidmapd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_rpcidmapd.5.xml:33
+msgid "sss plugin configuration directives for rpc.idmapd"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_rpcidmapd.5.xml:37
+msgid "CONFIGURATION FILE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_rpcidmapd.5.xml:39
+msgid ""
+"rpc.idmapd configuration file is usually found at "
+"<emphasis>/etc/idmapd.conf</emphasis>. See <citerefentry> "
+"<refentrytitle>idmapd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> for more information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_rpcidmapd.5.xml:49
+msgid "SSS CONFIGURATION EXTENSION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sss_rpcidmapd.5.xml:51
+msgid "Enable SSS plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_rpcidmapd.5.xml:53
+msgid ""
+"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> "
+"attribute to contain <emphasis>sss</emphasis>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sss_rpcidmapd.5.xml:59
+msgid "[sss] config section"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_rpcidmapd.5.xml:61
+msgid ""
+"In order to change the default of one of the configuration attributes of the "
+"<emphasis>sss</emphasis> plugin listed below you will need to create a "
+"config section for it, named <quote>[sss]</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
+#: sss_rpcidmapd.5.xml:67
+msgid "Configuration attributes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sss_rpcidmapd.5.xml:69
+msgid "memcache (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sss_rpcidmapd.5.xml:72
+msgid "Indicates whether or not to use memcache optimisation technique."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_rpcidmapd.5.xml:85
+msgid "SSSD INTEGRATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_rpcidmapd.5.xml:87
+msgid ""
+"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled "
+"in sssd."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_rpcidmapd.5.xml:91
+msgid ""
+"The attribute <quote>use_fully_qualified_names</quote> must be enabled on "
+"all domains (NFSv4 clients expect a fully qualified name to be sent on the "
+"wire)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sss_rpcidmapd.5.xml:103
+#, no-wrap
+msgid ""
+"[General]\n"
+"Verbosity = 2\n"
+"# domain must be synced between NFSv4 server and clients\n"
+"# Solaris/Illumos/AIX use \"localdomain\" as default!\n"
+"Domain = default\n"
+"\n"
+"[Mapping]\n"
+"Nobody-User = nfsnobody\n"
+"Nobody-Group = nfsnobody\n"
+"\n"
+"[Translation]\n"
+"Method = sss\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_rpcidmapd.5.xml:100
+msgid ""
+"The following example shows a minimal idmapd.conf which makes use of the sss "
+"plugin.  <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:316 include/seealso.xml:2
+msgid "SEE ALSO"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_rpcidmapd.5.xml:122
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15
+msgid "sss_ssh_authorizedkeys"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_ssh_authorizedkeys.1.xml:16
+msgid "get OpenSSH authorized keys"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_ssh_authorizedkeys.1.xml:21
+msgid ""
+"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg> <arg "
+"choice='plain'><replaceable>USER</replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_authorizedkeys.1.xml:32
+msgid ""
+"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user "
+"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys "
+"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of "
+"<citerefentry><refentrytitle>sshd</refentrytitle> "
+"<manvolnum>8</manvolnum></citerefentry> for more information)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_authorizedkeys.1.xml:41
+msgid ""
+"<citerefentry><refentrytitle>sshd</refentrytitle> "
+"<manvolnum>8</manvolnum></citerefentry> can be configured to use "
+"<command>sss_ssh_authorizedkeys</command> for public key user authentication "
+"if it is compiled with support for <quote>AuthorizedKeysCommand</quote> "
+"option. Please refer to the <citerefentry> "
+"<refentrytitle>sshd_config</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> man page for more details about this "
+"option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sss_ssh_authorizedkeys.1.xml:59
+#, no-wrap
+msgid ""
+"  AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n"
+"  AuthorizedKeysCommandUser nobody\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_authorizedkeys.1.xml:52
+msgid ""
+"If <quote>AuthorizedKeysCommand</quote> is supported, "
+"<citerefentry><refentrytitle>sshd</refentrytitle> "
+"<manvolnum>8</manvolnum></citerefentry> can be configured to use it by "
+"putting the following directives in <citerefentry> "
+"<refentrytitle>sshd_config</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry>: <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sss_ssh_authorizedkeys.1.xml:65
+msgid "KEYS FROM CERTIFICATES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_ssh_authorizedkeys.1.xml:67
+msgid ""
+"In addition to the public SSH keys for user <replaceable>USER</replaceable> "
+"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived "
+"from the public key of a X.509 certificate as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_ssh_authorizedkeys.1.xml:73
+msgid ""
+"To enable this the <quote>ssh_use_certificate_keys</quote> option must be "
+"set to true (default) in the [ssh] section of "
+"<filename>sssd.conf</filename>. If the user entry contains certificates (see "
+"<quote>ldap_user_certificate</quote> in "
+"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for details) or there is a "
+"certificate in an override entry for the user (see "
+"<citerefentry><refentrytitle>sss_override</refentrytitle> "
+"<manvolnum>8</manvolnum></citerefentry> or "
+"<citerefentry><refentrytitle>sssd-ipa</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for details) and the certificate is "
+"valid SSSD will extract the public key from the certificate and convert it "
+"into the format expected by sshd."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_ssh_authorizedkeys.1.xml:90
+msgid "Besides <quote>ssh_use_certificate_keys</quote> the options"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_ssh_authorizedkeys.1.xml:96
+msgid ""
+"can be used to control how the certificates are validated (see "
+"<citerefentry><refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum></citerefentry> for details)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_ssh_authorizedkeys.1.xml:101
+msgid ""
+"The validation is the benefit of using X.509 certificates instead of SSH "
+"keys directly because e.g. it gives a better control of the lifetime of the "
+"keys. When the ssh client is configured to use the private keys from a "
+"Smartcard with the help of a PKCS#11 shared library (see "
+"<citerefentry><refentrytitle>ssh</refentrytitle> "
+"<manvolnum>1</manvolnum></citerefentry> for details) it might be irritating "
+"that authentication is still working even if the related X.509 certificate "
+"on the Smartcard is already expired because neither <command>ssh</command> "
+"nor <command>sshd</command> will look at the certificate at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sss_ssh_authorizedkeys.1.xml:114
+msgid ""
+"It has to be noted that the derived public SSH key can still be added to the "
+"<filename>authorized_keys</filename> file of the user to bypass the "
+"certificate validation if the <command>sshd</command> configuration permits "
+"this."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_ssh_authorizedkeys.1.xml:132
+msgid ""
+"Search for user public keys in SSSD domain "
+"<replaceable>DOMAIN</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_authorizedkeys.1.xml:143
+msgid ""
+"In case of success, an exit value of 0 is returned. Otherwise, 1 is "
+"returned."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sss_ssh_knownhosts.1.xml:10 sss_ssh_knownhosts.1.xml:15
+msgid "sss_ssh_knownhosts"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sss_ssh_knownhosts.1.xml:16
+msgid "get OpenSSH known hosts public keys"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sss_ssh_knownhosts.1.xml:21
+msgid ""
+"<command>sss_ssh_knownhosts</command> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg> <arg "
+"choice='plain'><replaceable>HOST</replaceable></arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_knownhosts.1.xml:32
+msgid ""
+"<command>sss_ssh_knownhosts</command> acquires SSH public keys for host "
+"<replaceable>HOST</replaceable> and outputs them in OpenSSH known_hosts key "
+"format (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section of "
+"<citerefentry><refentrytitle>sshd</refentrytitle> "
+"<manvolnum>8</manvolnum></citerefentry> for more information)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sss_ssh_knownhosts.1.xml:47
+#, no-wrap
+msgid ""
+"                KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_knownhosts.1.xml:41
+msgid ""
+"<citerefentry><refentrytitle>ssh</refentrytitle> "
+"<manvolnum>1</manvolnum></citerefentry> can be configured to use "
+"<command>sss_ssh_knownhosts</command> for public key host authentication "
+"using the <quote>KnownHostsCommand</quote> option: <placeholder "
+"type=\"programlisting\" id=\"0\"/> Please refer to the <citerefentry> "
+"<refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry> man page for more details about this option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_knownhosts.1.xml:54
+msgid "This tool requires that SSSD's ssh service is enabled to work properly."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_ssh_knownhosts.1.xml:68
+msgid ""
+"Search for host public keys in SSSD domain "
+"<replaceable>DOMAIN</replaceable>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sss_ssh_knownhosts.1.xml:75
+msgid "<option>-o</option>,<option>--only-host-name</option>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sss_ssh_knownhosts.1.xml:79
+msgid ""
+"When the keys retrieved from the backend do not include the hostname, this "
+"tool will add the unmodified hostname as provided by the caller. If this "
+"flag is set, only the hostname (no port number) will be added to the keys."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sss_ssh_knownhosts.1.xml:91
+msgid "KEY RETRIEVAL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_knownhosts.1.xml:93
+msgid ""
+"The key lines retrieved from the backend are expected to respect the key "
+"format as decribed in the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section "
+"of <citerefentry><refentrytitle>sshd</refentrytitle> "
+"<manvolnum>8</manvolnum></citerefentry>. However, returning only the keytype "
+"and the key itself is tolerated, in which case, the hostname received as "
+"parameter will be added before the keytype to output a correctly formatted "
+"line. The hostname will be added unmodified or just the hostname (no port "
+"number), depending on whether the "
+"<option>-o</option>,<option>--only-host-name</option> option was provided."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sss_ssh_knownhosts.1.xml:110
+#, no-wrap
+msgid ""
+"                [canonical.host.name]:2222 &lt;keytype&gt; "
+"&lt;base64-encoded key&gt;\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_knownhosts.1.xml:105
+msgid ""
+"When the SSH server is listening on a non-default port, the backend MUST "
+"provide the hostname including the port number in the correct format and "
+"position as part of the key line. For example, the minimal key line would "
+"be: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sss_ssh_knownhosts.1.xml:118
+msgid ""
+"In case of successful execution, even if no key was found for that host or "
+"if the ssh responder could not be contacted, 0 is returned.  1 is returned "
+"in case of any other error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: idmap_sss.8.xml:10 idmap_sss.8.xml:15
+msgid "idmap_sss"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: idmap_sss.8.xml:16
+msgid "SSSD's idmap_sss Backend for Winbind"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: idmap_sss.8.xml:22
+msgid ""
+"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and "
+"SIDs. No database is required in this case as the mapping is done by SSSD."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: idmap_sss.8.xml:29
+msgid "IDMAP OPTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: idmap_sss.8.xml:33
+msgid "range = low - high"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: idmap_sss.8.xml:35
+msgid ""
+"Defines the available matching UID and GID range for which the backend is "
+"authoritative."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: idmap_sss.8.xml:45
+msgid "This example shows how to configure idmap_sss as the default mapping module."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: idmap_sss.8.xml:50
+#, no-wrap
+msgid ""
+"[global]\n"
+"security = ads\n"
+"workgroup = &lt;AD-DOMAIN-SHORTNAME&gt;\n"
+"\n"
+"idmap config &lt;AD-DOMAIN-SHORTNAME&gt; : backend        = sss\n"
+"idmap config &lt;AD-DOMAIN-SHORTNAME&gt; : range          = "
+"200000-2147483647\n"
+"\n"
+"idmap config * : backend        = tdb\n"
+"idmap config * : range          = 100000-199999\n"
+"        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: idmap_sss.8.xml:62
+msgid ""
+"Please replace &lt;AD-DOMAIN-SHORTNAME&gt; with the NetBIOS domain name of "
+"the AD domain. If multiple AD domains should be used each domain needs an "
+"<literal>idmap config</literal> line with <literal>backend = sss</literal> "
+"and a line with a suitable <literal>range</literal>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: idmap_sss.8.xml:69
+msgid ""
+"Since Winbind requires a writeable default backend and idmap_sss is "
+"read-only the example includes <literal>backend = tdb</literal> as default."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssctl.8.xml:10 sssctl.8.xml:15
+msgid "sssctl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssctl.8.xml:16
+msgid "SSSD control and status utility"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
+#: sssctl.8.xml:21
+msgid ""
+"<command>sssctl</command> <arg "
+"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> "
+"<replaceable>options</replaceable> </arg>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssctl.8.xml:32
+msgid ""
+"<command>sssctl</command> provides a simple and unified way to obtain "
+"information about SSSD status, such as active server, auto-discovered "
+"servers, domains and cached objects. In addition, it can manage SSSD data "
+"files for troubleshooting in such a way that is safe to manipulate while "
+"SSSD is running."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssctl.8.xml:43
+msgid ""
+"To list all available commands run <command>sssctl</command> without any "
+"parameters. To print help for selected command run <command>sssctl COMMAND "
+"--help</command>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16
+msgid "sssd-session-recording"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-session-recording.5.xml:17
+msgid "Configuring session recording with SSSD"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-session-recording.5.xml:23
+msgid ""
+"This manual page describes how to configure <citerefentry> "
+"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
+"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to "
+"implement user session recording on text terminals.  For a detailed "
+"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> "
+"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-session-recording.5.xml:41
+msgid ""
+"SSSD can be set up to enable recording of everything specific users see or "
+"type during their sessions on text terminals. E.g.  when users log in on the "
+"console, or via SSH. SSSD itself doesn't record anything, but makes sure "
+"tlog-rec-session is started upon user login, so it can record according to "
+"its configuration."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-session-recording.5.xml:48
+msgid ""
+"For users with session recording enabled, SSSD replaces the user shell with "
+"tlog-rec-session in NSS responses, and adds a variable specifying the "
+"original shell to the user environment, upon PAM session setup. This way "
+"tlog-rec-session can be started in place of the user shell, and know which "
+"actual shell to start, once it set up the recording."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-session-recording.5.xml:60
+msgid "These options can be used to configure the session recording."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-session-recording.5.xml:178
+msgid ""
+"The following snippet of sssd.conf enables session recording for users "
+"\"contractor1\" and \"contractor2\", and group \"students\"."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-session-recording.5.xml:183
+#, no-wrap
+msgid ""
+"[session_recording]\n"
+"scope = some\n"
+"users = contractor1, contractor2\n"
+"groups = students\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16
+msgid "sssd-kcm"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-kcm.8.xml:17
+msgid "SSSD Kerberos Cache Manager"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:23
+msgid ""
+"This manual page describes the configuration of the SSSD Kerberos Cache "
+"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos "
+"credential caches. It originates in the Heimdal Kerberos project, although "
+"the MIT Kerberos library also provides client side (more details on that "
+"below) support for the KCM credential cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:31
+msgid ""
+"In a setup where Kerberos caches are managed by KCM, the Kerberos library "
+"(typically used through an application, like e.g., <citerefentry> "
+"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> "
+"</citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is "
+"being referred to as a <quote>\"KCM server\"</quote>. The client and server "
+"communicate over a UNIX socket."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:42
+msgid ""
+"The KCM server keeps track of each credential caches's owner and performs "
+"access check control based on the UID and GID of the KCM client."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:47
+msgid "The KCM credential cache has several interesting properties:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-kcm.8.xml:51
+msgid ""
+"since the process runs in userspace, it is subject to UID namespacing, "
+"unlike the kernel keyring"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-kcm.8.xml:56
+msgid ""
+"unlike the kernel keyring-based cache, which is shared between all "
+"containers, the KCM server is a separate process whose entry point is a UNIX "
+"socket"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-kcm.8.xml:61
+msgid ""
+"the SSSD implementation stores the ccaches in a database, typically located "
+"at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to "
+"survive KCM server restarts or machine reboots."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:67
+msgid ""
+"This allows the system to use a collection-aware credential cache, yet share "
+"the credential cache between some or no containers by bind-mounting the "
+"socket."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:72
+msgid ""
+"The KCM default client idle timeout is 5 minutes, this allows more time for "
+"user interaction with command line tools such as kinit."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-kcm.8.xml:78
+msgid "USING THE KCM CREDENTIAL CACHE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-kcm.8.xml:88
+#, no-wrap
+msgid ""
+"[libdefaults]\n"
+"    default_ccache_name = KCM:\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:80
+msgid ""
+"In order to use KCM credential cache, it must be selected as the default "
+"credential type in <citerefentry> "
+"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, The credentials cache name must be only <quote>KCM:</quote> "
+"without any template expansions.  For example: <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:93
+msgid ""
+"Next, make sure the Kerberos client libraries and the KCM server must agree "
+"on the UNIX socket path. By default, both use the same path "
+"<replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure "
+"the Kerberos library, change its <quote>kcm_socket</quote> option which is "
+"described in the <citerefentry> "
+"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-kcm.8.xml:115
+#, no-wrap
+msgid ""
+"systemctl start sssd-kcm.socket\n"
+"systemctl enable sssd-kcm.socket\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:104
+msgid ""
+"Finally, make sure the SSSD KCM server can be contacted.  The KCM service is "
+"typically socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry>.  Unlike other SSSD services, it cannot be started by adding "
+"the <quote>kcm</quote> string to the <quote>service</quote> directive.  "
+"<placeholder type=\"programlisting\" id=\"0\"/> Please note your "
+"distribution may already configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-kcm.8.xml:124
+msgid "THE CREDENTIAL CACHE STORAGE"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:126
+msgid ""
+"The credential caches are stored in a database, much like SSSD caches user "
+"or group entries. The database is typically located at "
+"<quote>/var/lib/sss/secrets</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-kcm.8.xml:133
+msgid "OBTAINING DEBUG LOGS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-kcm.8.xml:144
+#, no-wrap
+msgid ""
+"[kcm]\n"
+"debug_level = 10\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-kcm.8.xml:149 sssd-kcm.8.xml:211
+#, no-wrap
+msgid ""
+"systemctl restart sssd-kcm.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:135
+msgid ""
+"The sssd-kcm service is typically socket-activated <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry>. To generate debug logs, add the following either to the "
+"<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration "
+"snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder "
+"type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: "
+"<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever "
+"use-case doesn't work for you. The KCM logs will be generated at "
+"<filename>/var/log/sssd/sssd_kcm.log</filename>. It is recommended to "
+"disable the debug logs when you no longer need the debugging to be enabled "
+"as the sssd-kcm service can generate quite a large amount of debugging "
+"information."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:159
+msgid ""
+"Please note that configuration snippets are, at the moment, only processed "
+"if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> "
+"exists at all."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-kcm.8.xml:166
+msgid "RENEWALS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-kcm.8.xml:174
+#, no-wrap
+msgid ""
+"tgt_renewal = true\n"
+"krb5_renew_interval = 60m\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:168
+msgid ""
+"The sssd-kcm service can be configured to attempt TGT renewal for renewable "
+"TGTs stored in the KCM ccache.  Renewals are only attempted when half of the "
+"ticket lifetime has been reached. KCM Renewals are configured when the "
+"following options are set in the [kcm] section: <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:179
+msgid "SSSD can also inherit krb5 options for renewals from an existing domain."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-kcm.8.xml:183
+#, no-wrap
+msgid ""
+"tgt_renewal = true\n"
+"tgt_renewal_inherit = domain-name\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-kcm.8.xml:191
+#, no-wrap
+msgid ""
+"krb5_renew_interval\n"
+"krb5_renewable_lifetime\n"
+"krb5_lifetime\n"
+"krb5_validate\n"
+"krb5_canonicalize\n"
+"krb5_auth_timeout\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:187
+msgid ""
+"The following krb5 options can be configured in the [kcm] section to control "
+"renewal behavior, these options are described in detail below <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:204
+msgid ""
+"The KCM service is configured in the <quote>kcm</quote> section of the "
+"sssd.conf file. Please note that because the KCM service is typically "
+"socket-activated, it is enough to just restart the <quote>sssd-kcm</quote> "
+"service after changing options in the <quote>kcm</quote> section of "
+"sssd.conf: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:215
+msgid ""
+"The KCM service is configured in the <quote>kcm</quote> For a detailed "
+"syntax reference, refer to the <quote>FILE FORMAT</quote> section of the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:223
+msgid ""
+"The generic SSSD service options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the kcm service.  Please refer to "
+"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In "
+"addition, there are some KCM-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-kcm.8.xml:234
+msgid "socket_path (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:237
+msgid "The socket the KCM service will listen on."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:240
+msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:243
+msgid ""
+"<phrase condition=\"have_systemd\"> Note: on platforms where systemd is "
+"supported, the socket path is overwritten by the one defined in the "
+"sssd-kcm.socket unit file.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-kcm.8.xml:252
+msgid "max_ccaches (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:255
+msgid "How many credential caches does the KCM database allow for all users."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:259
+msgid "Default: 0 (unlimited, only the per-UID quota is enforced)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-kcm.8.xml:264
+msgid "max_uid_ccaches (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:267
+msgid ""
+"How many credential caches does the KCM database allow per UID. This is "
+"equivalent to <quote>with how many principals you can kinit</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:272
+msgid "Default: 64"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-kcm.8.xml:277
+msgid "max_ccache_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:280
+msgid ""
+"How big can a credential cache be per ccache. Each service ticket accounts "
+"into this quota."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:284
+msgid "Default: 65536"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-kcm.8.xml:289
+msgid "tgt_renewal (bool)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:292
+msgid "Enables TGT renewals functionality."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:295
+msgid "Default: False (Automatic renewals disabled)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-kcm.8.xml:300
+msgid "tgt_renewal_inherit (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:303
+msgid "Domain to inherit krb5_* options from, for use with TGT renewals."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-kcm.8.xml:307
+msgid "Default: NULL"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-kcm.8.xml:318
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>,"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16
+msgid "sssd-systemtap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-systemtap.5.xml:17
+msgid "SSSD systemtap information"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-systemtap.5.xml:23
+msgid ""
+"This manual page provides information about the systemtap functionality in "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-systemtap.5.xml:32
+msgid ""
+"SystemTap Probe points have been added into various locations in SSSD code "
+"to assist in troubleshooting and analyzing performance related issues."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-systemtap.5.xml:40
+msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
+#: sssd-systemtap.5.xml:46
+msgid ""
+"Probes and miscellaneous functions are defined in "
+"/usr/share/systemtap/tapset/sssd.stp and "
+"/usr/share/systemtap/tapset/sssd_functions.stp respectively."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-systemtap.5.xml:57
+msgid "PROBE POINTS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para>
+#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367
+msgid ""
+"The information below lists the probe points and arguments available in the "
+"following format:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:64
+msgid "probe $name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:67
+msgid "Description of probe point"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:70
+#, no-wrap
+msgid ""
+"variable1:datatype\n"
+"variable2:datatype\n"
+"variable3:datatype\n"
+"...\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-systemtap.5.xml:80
+msgid "Database Transaction Probes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:84
+msgid "probe sssd_transaction_start"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:87
+msgid "Start of a sysdb transaction, probes the sysdb_transaction_start() function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118
+#: sssd-systemtap.5.xml:131
+#, no-wrap
+msgid ""
+"nesting:integer\n"
+"probestr:string\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:97
+msgid "probe sssd_transaction_cancel"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:100
+msgid ""
+"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel()  "
+"function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:111
+msgid "probe sssd_transaction_commit_before"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:114
+msgid "Probes the sysdb_transaction_commit_before()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:124
+msgid "probe sssd_transaction_commit_after"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:127
+msgid "Probes the sysdb_transaction_commit_after()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-systemtap.5.xml:141
+msgid "LDAP Search Probes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:145
+msgid "probe sdap_search_send"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:148
+msgid "Probes the sdap_get_generic_ext_send()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:152
+#, no-wrap
+msgid ""
+"base:string\n"
+"scope:integer\n"
+"filter:string\n"
+"attrs:string\n"
+"probestr:string\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:161
+msgid "probe sdap_search_recv"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:164
+msgid "Probes the sdap_get_generic_ext_recv()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222
+#, no-wrap
+msgid ""
+"base:string\n"
+"scope:integer\n"
+"filter:string\n"
+"probestr:string\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:176
+msgid "probe sdap_parse_entry"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:179
+msgid ""
+"Probes the sdap_parse_entry()  function. It is called repeatedly with every "
+"received attribute."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:184
+#, no-wrap
+msgid ""
+"attr:string\n"
+"value:string\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:190
+msgid "probe sdap_parse_entry_done"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:193
+msgid ""
+"Probes the sdap_parse_entry()  function. It is called when parsing of "
+"received object is finished."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:201
+msgid "probe sdap_deref_send"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:204
+msgid "Probes the sdap_deref_search_send()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:208
+#, no-wrap
+msgid ""
+"base_dn:string\n"
+"deref_attr:string\n"
+"probestr:string\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:215
+msgid "probe sdap_deref_recv"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:218
+msgid "Probes the sdap_deref_search_recv()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-systemtap.5.xml:234
+msgid "LDAP Account Request Probes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:238
+msgid "probe sdap_acct_req_send"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:241
+msgid "Probes the sdap_acct_req_send()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260
+#, no-wrap
+msgid ""
+"entry_type:int\n"
+"filter_type:int\n"
+"filter_value:string\n"
+"extra_value:string\n"
+"                       "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:253
+msgid "probe sdap_acct_req_recv"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:256
+msgid "Probes the sdap_acct_req_recv()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-systemtap.5.xml:272
+msgid "LDAP User Search Probes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:276
+msgid "probe sdap_search_user_send"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:279
+msgid "Probes the sdap_search_user_send()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307
+#: sssd-systemtap.5.xml:319
+#, no-wrap
+msgid ""
+"filter:string\n"
+"                       "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:288
+msgid "probe sdap_search_user_recv"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:291
+msgid "Probes the sdap_search_user_recv()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:300
+msgid "probe sdap_search_user_save_begin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:303
+msgid "Probes the sdap_search_user_save_begin()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:312
+msgid "probe sdap_search_user_save_end"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:315
+msgid "Probes the sdap_search_user_save_end()  function."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-systemtap.5.xml:328
+msgid "Data Provider Request Probes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:332
+msgid "probe dp_req_send"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:335
+msgid "A Data Provider request is submitted."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:338
+#, no-wrap
+msgid ""
+"dp_req_domain:string\n"
+"dp_req_name:string\n"
+"dp_req_target:int\n"
+"dp_req_method:int\n"
+"                       "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:346
+msgid "probe dp_req_done"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:349
+msgid "A Data Provider request is completed."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
+#: sssd-systemtap.5.xml:352
+#, no-wrap
+msgid ""
+"dp_req_name:string\n"
+"dp_req_target:int\n"
+"dp_req_method:int\n"
+"dp_ret:int\n"
+"dp_errorstr:string\n"
+"                       "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><title>
+#: sssd-systemtap.5.xml:365
+msgid "MISCELLANEOUS FUNCTIONS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:372
+msgid "function acct_req_desc(entry_type)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:375
+msgid "Convert entry_type to string and return string"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:380
+msgid ""
+"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, "
+"filter_value, extra_value)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:384
+msgid "Create probe string based on filter type"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:389
+msgid "function dp_target_str(target)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:392
+msgid "Convert target to string and return string"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:397
+msgid "function dp_method_str(target)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:400
+msgid "Convert method to string and return string"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-systemtap.5.xml:410
+msgid "SAMPLE SYSTEMTAP SCRIPTS"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-systemtap.5.xml:412
+msgid ""
+"Start the SystemTap script (<command>stap "
+"/usr/share/sssd/systemtap/&lt;script_name&gt;.stp</command>), then perform "
+"an identity operation and the script will collect information from probes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-systemtap.5.xml:418
+msgid "Provided SystemTap scripts are:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:422
+msgid "dp_request.stp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:425
+msgid "Monitoring of data provider request performance."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:430
+msgid "id_perf.stp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:433
+msgid "Monitoring of <command>id</command> command performance."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:439
+msgid "ldap_perf.stp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:442
+msgid "Monitoring of LDAP queries."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-systemtap.5.xml:447
+msgid "nested_group_perf.stp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-systemtap.5.xml:450
+msgid "Performance of nested groups resolving."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16
+msgid "sssd-ldap-attributes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-ldap-attributes.5.xml:17
+msgid "SSSD LDAP Provider: Mapping Attributes"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ldap-attributes.5.xml:23
+msgid ""
+"This manual page describes the mapping attributes of SSSD LDAP provider "
+"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>. Refer to the <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page for full details about SSSD LDAP provider "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:38
+msgid "USER ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:42
+msgid "ldap_user_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:45
+msgid "The object class of a user entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:48
+msgid "Default: posixAccount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:54
+msgid "ldap_user_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:57
+msgid "The LDAP attribute that corresponds to the user's login name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:61
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:68
+msgid "ldap_user_uid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:71
+msgid "The LDAP attribute that corresponds to the user's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:75
+msgid "Default: uidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:81
+msgid "ldap_user_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:84
+msgid "The LDAP attribute that corresponds to the user's primary group id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:700
+msgid "Default: gidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:94
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:97
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the "
+"<quote>ldap</quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:103
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:109
+msgid "ldap_user_gecos (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:112
+msgid "The LDAP attribute that corresponds to the user's gecos field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:116
+msgid "Default: gecos"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:122
+msgid "ldap_user_home_directory (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:125
+msgid "The LDAP attribute that contains the name of the user's home directory."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:129
+msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:135
+msgid "ldap_user_shell (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:138
+msgid "The LDAP attribute that contains the path to the user's default shell."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:142
+msgid "Default: loginShell"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:148
+msgid "ldap_user_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:151
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:726
+msgid ""
+"Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
+"IPA"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:162
+msgid "ldap_user_objectsid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:165
+msgid ""
+"The LDAP attribute that contains the objectSID of an LDAP user object. This "
+"is usually only necessary for ActiveDirectory servers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:741
+msgid "Default: objectSid for ActiveDirectory, not set for other servers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:177
+msgid "ldap_user_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:751
+#: sssd-ldap-attributes.5.xml:874
+msgid ""
+"The LDAP attribute that contains timestamp of the last modification of the "
+"parent object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:755
+#: sssd-ldap-attributes.5.xml:881
+msgid "Default: modifyTimestamp"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:190
+msgid "ldap_user_shadow_last_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:193
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> "
+"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> counterpart (date of the last password change)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:203
+msgid "Default: shadowLastChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:209
+msgid "ldap_user_shadow_min (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:212
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> "
+"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> counterpart (minimum password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:221
+msgid "Default: shadowMin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:227
+msgid "ldap_user_shadow_max (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:230
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> "
+"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> counterpart (maximum password age)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:239
+msgid "Default: shadowMax"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:245
+msgid "ldap_user_shadow_warning (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:248
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> "
+"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> counterpart (password warning period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:258
+msgid "Default: shadowWarning"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:264
+msgid "ldap_user_shadow_inactive (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:267
+msgid ""
+"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
+"LDAP attribute corresponding to its <citerefentry> "
+"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> counterpart (password inactivity period)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:277
+msgid "Default: shadowInactive"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:283
+msgid "ldap_user_shadow_expire (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:286
+msgid ""
+"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
+"parameter contains the name of an LDAP attribute corresponding to its "
+"<citerefentry> <refentrytitle>shadow</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> counterpart (account expiration "
+"date)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:296
+msgid "Default: shadowExpire"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:302
+msgid "ldap_user_krb_last_pwd_change (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:305
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time of last password change in "
+"kerberos."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:311
+msgid "Default: krbLastPwdChange"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:317
+msgid "ldap_user_krb_password_expiration (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:320
+msgid ""
+"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
+"an LDAP attribute storing the date and time when current password expires."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:326
+msgid "Default: krbPasswordExpiration"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:332
+msgid "ldap_user_ad_account_expires (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:335
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the expiration time of the account."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:340
+msgid "Default: accountExpires"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:346
+msgid "ldap_user_ad_user_account_control (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:349
+msgid ""
+"When using ldap_account_expire_policy=ad, this parameter contains the name "
+"of an LDAP attribute storing the user account control bit field."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:354
+msgid "Default: userAccountControl"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:360
+msgid "ldap_ns_account_lock (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:363
+msgid ""
+"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
+"determines if access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:368
+msgid "Default: nsAccountLock"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:374
+msgid "ldap_user_nds_login_disabled (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:377
+msgid ""
+"When using ldap_account_expire_policy=nds, this attribute determines if "
+"access is allowed or not."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395
+msgid "Default: loginDisabled"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:387
+msgid "ldap_user_nds_login_expiration_time (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:390
+msgid ""
+"When using ldap_account_expire_policy=nds, this attribute determines until "
+"which date access is granted."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:401
+msgid "ldap_user_nds_login_allowed_time_map (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:404
+msgid ""
+"When using ldap_account_expire_policy=nds, this attribute determines the "
+"hours of a day in a week when access is granted."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:409
+msgid "Default: loginAllowedTimeMap"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:415
+msgid "ldap_user_principal (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:418
+msgid ""
+"The LDAP attribute that contains the user's Kerberos User Principal Name "
+"(UPN)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:422
+msgid "Default: krbPrincipalName"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:428
+msgid "ldap_user_extra_attrs (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:431
+msgid ""
+"Comma-separated list of LDAP attributes that SSSD would fetch along with the "
+"usual set of user attributes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:436
+msgid ""
+"The list can either contain LDAP attribute names only, or colon-separated "
+"tuples of SSSD cache attribute name and LDAP attribute name. In case only "
+"LDAP attribute name is specified, the attribute is saved to the cache "
+"verbatim.  Using a custom SSSD attribute name might be required by "
+"environments that configure several SSSD domains with different LDAP "
+"schemas."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:446
+msgid ""
+"Please note that several attribute names are reserved by SSSD, notably the "
+"<quote>name</quote> attribute. SSSD would report an error if any of the "
+"reserved attribute names is used as an extra attribute name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:456
+msgid "ldap_user_extra_attrs = telephoneNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:459
+msgid ""
+"Save the <quote>telephoneNumber</quote> attribute from LDAP as "
+"<quote>telephoneNumber</quote> to the cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:463
+msgid "ldap_user_extra_attrs = phone:telephoneNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:466
+msgid ""
+"Save the <quote>telephoneNumber</quote> attribute from LDAP as "
+"<quote>phone</quote> to the cache."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:476
+msgid "ldap_user_ssh_public_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:479
+msgid "The LDAP attribute that contains the user's SSH public keys."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:965
+msgid "Default: sshPublicKey"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:489
+msgid "ldap_user_fullname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:492
+msgid "The LDAP attribute that corresponds to the user's full name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:502
+msgid "ldap_user_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:505
+msgid "The LDAP attribute that lists the user's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:952
+msgid "Default: memberOf"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:515
+msgid "ldap_user_authorized_service (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:518
+msgid ""
+"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
+"use the presence of the authorizedService attribute in the user's LDAP entry "
+"to determine access privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:525
+msgid ""
+"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
+"explicit allow (svc) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:530
+msgid ""
+"Please note that the ldap_access_order configuration option "
+"<emphasis>must</emphasis> include <quote>authorized_service</quote> in order "
+"for the ldap_user_authorized_service option to work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:537
+msgid ""
+"Some distributions (such as Fedora-29+ or RHEL-8)  always include the "
+"<quote>systemd-user</quote> PAM service as part of the login "
+"process. Therefore when using service-based access control, the "
+"<quote>systemd-user</quote> service might need to be added to the list of "
+"allowed services."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:545
+msgid "Default: authorizedService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:551
+msgid "ldap_user_authorized_host (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:554
+msgid ""
+"If access_provider=ldap and ldap_access_order=host, SSSD will use the "
+"presence of the host attribute in the user's LDAP entry to determine access "
+"privilege."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:560
+msgid ""
+"An explicit deny (!host) is resolved first. Second, SSSD searches for "
+"explicit allow (host) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:565
+msgid ""
+"Please note that the ldap_access_order configuration option "
+"<emphasis>must</emphasis> include <quote>host</quote> in order for the "
+"ldap_user_authorized_host option to work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:572
+msgid "Default: host"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:578
+msgid "ldap_user_authorized_rhost (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:581
+msgid ""
+"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the "
+"presence of the rhost attribute in the user's LDAP entry to determine access "
+"privilege. Similarly to host verification process."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:588
+msgid ""
+"An explicit deny (!rhost) is resolved first. Second, SSSD searches for "
+"explicit allow (rhost) and finally for allow_all (*)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:593
+msgid ""
+"Please note that the ldap_access_order configuration option "
+"<emphasis>must</emphasis> include <quote>rhost</quote> in order for the "
+"ldap_user_authorized_rhost option to work."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:600
+msgid "Default: rhost"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:606
+msgid "ldap_user_certificate (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:609
+msgid "Name of the LDAP attribute containing the X509 certificate of the user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:613
+msgid "Default: userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:619
+msgid "ldap_user_email (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:622
+msgid "Name of the LDAP attribute containing the email address of the user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:626
+msgid ""
+"Note: If an email address of a user conflicts with an email address or fully "
+"qualified name of another user, then SSSD will not be able to serve those "
+"users properly. This option allows users to login by (1) username, and (2) "
+"e-mail address.  If for some reason several users need to share the same "
+"email address then set this option to a nonexistent attribute name in order "
+"to disable user lookup/login by email."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:637
+msgid "Default: mail"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:642
+msgid "ldap_user_passkey (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:645
+msgid "Name of the LDAP attribute containing the passkey mapping data of the user."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:649
+msgid "Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:659
+msgid "GROUP ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:663
+msgid "ldap_group_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:666
+msgid "The object class of a group entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:669
+msgid "Default: posixGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:675
+msgid "ldap_group_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:678
+msgid ""
+"The LDAP attribute that corresponds to the group name. In an environment "
+"with nested groups, this value must be an LDAP attribute which has a unique "
+"name for every group. This requirement includes non-POSIX groups in the tree "
+"of nested groups."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:686
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:693
+msgid "ldap_group_gid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:696
+msgid "The LDAP attribute that corresponds to the group's id."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:706
+msgid "ldap_group_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:709
+msgid "The LDAP attribute that contains the names of the group's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:713
+msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:719
+msgid "ldap_group_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:722
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:733
+msgid "ldap_group_objectsid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:736
+msgid ""
+"The LDAP attribute that contains the objectSID of an LDAP group object. This "
+"is usually only necessary for ActiveDirectory servers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:748
+msgid "ldap_group_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:761
+msgid "ldap_group_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:764
+msgid ""
+"The LDAP attribute that contains an integer value indicating the type of the "
+"group and maybe other flags."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:769
+msgid ""
+"This attribute is currently only used by the AD provider to determine if a "
+"group is a domain local groups and has to be filtered out for trusted "
+"domains."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:775
+msgid "Default: groupType in the AD provider, otherwise not set"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:782
+msgid "ldap_group_external_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:785
+msgid ""
+"The LDAP attribute that references group members that are defined in an "
+"external domain. At the moment, only IPA's external members are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:791
+msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:801
+msgid "NETGROUP ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:805
+msgid "ldap_netgroup_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:808
+msgid "The object class of a netgroup entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:811
+msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:815
+msgid "Default: nisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:821
+msgid "ldap_netgroup_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:824
+msgid "The LDAP attribute that corresponds to the netgroup name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:828
+msgid "In IPA provider, ipa_netgroup_name should be used instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:838
+msgid "ldap_netgroup_member (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:841
+msgid "The LDAP attribute that contains the names of the netgroup's members."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:845
+msgid "In IPA provider, ipa_netgroup_member should be used instead."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:849
+msgid "Default: memberNisNetgroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:855
+msgid "ldap_netgroup_triple (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:858
+msgid "The LDAP attribute that contains the (host, user, domain) netgroup triples."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:862 sssd-ldap-attributes.5.xml:878
+msgid "This option is not available in IPA provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:865
+msgid "Default: nisNetgroupTriple"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:871
+msgid "ldap_netgroup_modify_timestamp (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:890
+msgid "HOST ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:894
+msgid "ldap_host_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:897
+msgid "The object class of a host entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:900 sssd-ldap-attributes.5.xml:997
+msgid "Default: ipService"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:906
+msgid "ldap_host_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:909 sssd-ldap-attributes.5.xml:935
+msgid "The LDAP attribute that corresponds to the host's name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:919
+msgid "ldap_host_fqdn (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:922
+msgid ""
+"The LDAP attribute that corresponds to the host's fully-qualified domain "
+"name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:926
+msgid "Default: fqdn"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:932
+msgid "ldap_host_serverhostname (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:939
+msgid "Default: serverHostname"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:945
+msgid "ldap_host_member_of (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:948
+msgid "The LDAP attribute that lists the host's group memberships."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:958
+msgid "ldap_host_ssh_public_key (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:961
+msgid "The LDAP attribute that contains the host's SSH public keys."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:971
+msgid "ldap_host_uuid (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:974
+msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:987
+msgid "SERVICE ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:991
+msgid "ldap_service_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:994
+msgid "The object class of a service entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1003
+msgid "ldap_service_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1006
+msgid ""
+"The LDAP attribute that contains the name of service attributes and their "
+"aliases."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1016
+msgid "ldap_service_port (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1019
+msgid "The LDAP attribute that contains the port managed by this service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1023
+msgid "Default: ipServicePort"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1029
+msgid "ldap_service_proto (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1032
+msgid "The LDAP attribute that contains the protocols understood by this service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1036
+msgid "Default: ipServiceProtocol"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:1045
+msgid "SUDO ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1049
+msgid "ldap_sudorule_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1052
+msgid "The object class of a sudo rule entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1055
+msgid "Default: sudoRole"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1061
+msgid "ldap_sudorule_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1064
+msgid "The LDAP attribute that corresponds to the sudo rule name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1074
+msgid "ldap_sudorule_command (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1077
+msgid "The LDAP attribute that corresponds to the command name."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1081
+msgid "Default: sudoCommand"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1087
+msgid "ldap_sudorule_host (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1090
+msgid ""
+"The LDAP attribute that corresponds to the host name (or host IP address, "
+"host IP network, or host netgroup)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1095
+msgid "Default: sudoHost"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1101
+msgid "ldap_sudorule_user (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1104
+msgid ""
+"The LDAP attribute that corresponds to the user name (or UID, group name or "
+"user's netgroup)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1108
+msgid "Default: sudoUser"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1114
+msgid "ldap_sudorule_option (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1117
+msgid "The LDAP attribute that corresponds to the sudo options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1121
+msgid "Default: sudoOption"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1127
+msgid "ldap_sudorule_runasuser (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1130
+msgid ""
+"The LDAP attribute that corresponds to the user name that commands may be "
+"run as."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1134
+msgid "Default: sudoRunAsUser"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1140
+msgid "ldap_sudorule_runasgroup (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1143
+msgid ""
+"The LDAP attribute that corresponds to the group name or group GID that "
+"commands may be run as."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1147
+msgid "Default: sudoRunAsGroup"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1153
+msgid "ldap_sudorule_notbefore (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1156
+msgid ""
+"The LDAP attribute that corresponds to the start date/time for when the sudo "
+"rule is valid."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1160
+msgid "Default: sudoNotBefore"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1166
+msgid "ldap_sudorule_notafter (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1169
+msgid ""
+"The LDAP attribute that corresponds to the expiration date/time, after which "
+"the sudo rule will no longer be valid."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1174
+msgid "Default: sudoNotAfter"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1180
+msgid "ldap_sudorule_order (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1183
+msgid "The LDAP attribute that corresponds to the ordering index of the rule."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1187
+msgid "Default: sudoOrder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:1196
+msgid "AUTOFS ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:1203
+msgid "IP HOST ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1207
+msgid "ldap_iphost_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1210
+msgid "The object class of an iphost entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1213
+msgid "Default: ipHost"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1219
+msgid "ldap_iphost_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1222
+msgid ""
+"The LDAP attribute that contains the name of the IP host attributes and "
+"their aliases."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1232
+msgid "ldap_iphost_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1235
+msgid "The LDAP attribute that contains the IP host address."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1239
+msgid "Default: ipHostNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:1248
+msgid "IP NETWORK ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1252
+msgid "ldap_ipnetwork_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1255
+msgid "The object class of an ipnetwork entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1258
+msgid "Default: ipNetwork"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1264
+msgid "ldap_ipnetwork_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1267
+msgid ""
+"The LDAP attribute that contains the name of the IP network attributes and "
+"their aliases."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1277
+msgid "ldap_ipnetwork_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1280
+msgid "The LDAP attribute that contains the IP network address."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1284
+msgid "Default: ipNetworkNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-ldap-attributes.5.xml:1293
+msgid "SUBID ATTRIBUTES"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1297
+msgid "ldap_subuid_object_class (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1300
+msgid "The object class of an subid entry in LDAP."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1303
+msgid "Default: subordinateIdEntry"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1309
+msgid "ldap_subuid_count (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1312
+msgid "Subordinate user ID count (range size)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1315
+msgid "Default: subUidCount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1321
+msgid "ldap_subgid_count (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1324
+msgid "Subordinate group ID count (range size)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1327
+msgid "Default: subGidCount"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1333
+msgid "ldap_subuid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1336
+msgid "Numerical subordinate user ID (range start value)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1339
+msgid "Default: subUidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1345
+msgid "ldap_subgid_number (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1348
+msgid "Numerical subordinate group ID (range start value)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1351
+msgid "Default: subGidNumber"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap-attributes.5.xml:1357
+msgid "ldap_subid_range_owner (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1360
+msgid "Owner of an entry"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap-attributes.5.xml:1363
+msgid "Default: subidRangeOwner"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd_krb5_localauth_plugin.8.xml:10 sssd_krb5_localauth_plugin.8.xml:15
+msgid "sssd_krb5_localauth_plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd_krb5_localauth_plugin.8.xml:16
+msgid "Kerberos local authorization plugin"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_localauth_plugin.8.xml:22
+msgid ""
+"The Kerberos local authorization plugin "
+"<command>sssd_krb5_localauth_plugin</command> is used by libkrb5 to either "
+"find the local name for a given Kerberos principal or to check if a given "
+"local name and a given Kerberos principal relate to each other."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_localauth_plugin.8.xml:29
+msgid ""
+"SSSD handles the local names for users from a remote source and can read the "
+"Kerberos user principal name from the remote source as well. With this "
+"information SSSD can easily handle the mappings mentioned above even if the "
+"local name and the Kerberos principal differ considerably."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_localauth_plugin.8.xml:36
+msgid ""
+"Additionally with the information read from the remote source SSSD can help "
+"to prevent unexpected or unwanted mappings in case the user part of the "
+"Kerberos principal accidentally corresponds to a local name of a different "
+"user. By default libkrb5 might just strip the realm part of the Kerberos "
+"principal to get the local name which would lead to wrong mappings in this "
+"case."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd_krb5_localauth_plugin.8.xml:46
+msgid "CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd_krb5_localauth_plugin.8.xml:56
+#, no-wrap
+msgid ""
+"[plugins]\n"
+" localauth = {\n"
+"  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so\n"
+" }\n"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd_krb5_localauth_plugin.8.xml:48
+msgid ""
+"The Kerberos local authorization plugin must be enabled explicitly in the "
+"Kerberos configuration, see <citerefentry> "
+"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>.  SSSD will create a config snippet with the content like "
+"e.g.  <placeholder type=\"programlisting\" id=\"0\"/> automatically in the "
+"SSSD's public Kerberos configuration snippet directory. If this directory is "
+"included in the local Kerberos configuration the plugin will be enabled "
+"automatically."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/autofs_attributes.xml:3
+msgid "ldap_autofs_map_object_class (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:6
+msgid "The object class of an automount map entry in LDAP."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:9
+msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/autofs_attributes.xml:16
+msgid "ldap_autofs_map_name (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:19
+msgid "The name of an automount map entry in LDAP."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:22
+msgid ""
+"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise "
+"automountMapName"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/autofs_attributes.xml:29
+msgid "ldap_autofs_entry_object_class (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:32
+msgid ""
+"The object class of an automount entry in LDAP. The entry usually "
+"corresponds to a mount point."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:37
+msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/autofs_attributes.xml:44
+msgid "ldap_autofs_entry_key (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61
+msgid ""
+"The key of an automount entry in LDAP. The entry usually corresponds to a "
+"mount point."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:51
+msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/autofs_attributes.xml:58
+msgid "ldap_autofs_entry_value (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/autofs_attributes.xml:65
+msgid ""
+"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
+"automountInformation"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/service_discovery.xml:2
+msgid "SERVICE DISCOVERY"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/service_discovery.xml:4
+msgid ""
+"The service discovery feature allows back ends to automatically find the "
+"appropriate servers to connect to using a special DNS query. This feature is "
+"not supported for backup servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99
+msgid "Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:11
+msgid ""
+"If no servers are specified, the back end automatically uses service "
+"discovery to try to find a server. Optionally, the user may choose to use "
+"both fixed server addresses and service discovery by inserting a special "
+"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
+"preference is maintained. This feature is useful if, for example, the user "
+"prefers to use service discovery whenever possible, and fall back to a "
+"specific server when no servers can be discovered using DNS."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:23
+msgid "The domain name"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:25
+msgid ""
+"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page for more details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:35
+msgid "The protocol"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:37
+msgid ""
+"The queries usually specify _tcp as the protocol. Exceptions are documented "
+"in respective option description."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/service_discovery.xml:42
+msgid "See Also"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/service_discovery.xml:44
+msgid "For more information on the service discovery mechanism, refer to RFC 2782."
+msgstr ""
+
+#. type: Content of: <refentryinfo>
+#: include/upstream.xml:2
+msgid ""
+"<productname>SSSD</productname> <orgname>The SSSD upstream - "
+"https://github.com/SSSD/sssd/</orgname>"
+msgstr ""
+
+#. type: Content of: outside any tag (error?)
+#: include/upstream.xml:1
+msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/failover.xml:2
+msgid "FAILOVER"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/failover.xml:4
+msgid ""
+"The failover feature allows back ends to automatically switch to a different "
+"server if the current server fails."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:8
+msgid "Failover Syntax"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:10
+msgid ""
+"The list of servers is given as a comma-separated list; any number of spaces "
+"is allowed around the comma. The servers are listed in order of "
+"preference. The list can contain any number of servers."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:16
+msgid ""
+"For each failover-enabled config option, two variants exist: "
+"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>.  The idea is "
+"that servers in the primary list are preferred and backup servers are only "
+"searched if no primary servers can be reached. If a backup server is "
+"selected, a timeout of 31 seconds is set. After this timeout SSSD will "
+"periodically try to reconnect to one of the primary servers. If it succeeds, "
+"it will replace the current active (backup) server."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:27
+msgid "The Failover Mechanism"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:29
+msgid ""
+"The failover mechanism distinguishes between a machine and a service. The "
+"back end first tries to resolve the hostname of a given machine; if this "
+"resolution attempt fails, the machine is considered offline. No further "
+"attempts are made to connect to this machine for any other service. If the "
+"resolution attempt succeeds, the back end tries to connect to a service on "
+"this machine. If the service connection attempt fails, then only this "
+"particular service is considered offline and the back end automatically "
+"switches over to the next service.  The machine is still considered online "
+"and might still be tried for another service."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:42
+msgid ""
+"Further connection attempts are made to machines or services marked as "
+"offline after a specified period of time; this is currently hard coded to 30 "
+"seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:47
+msgid ""
+"If there are no more machines to try, the back end as a whole switches to "
+"offline mode, and then attempts to reconnect every 30 seconds."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/failover.xml:53
+msgid "Failover time outs and tuning"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:55
+msgid ""
+"Resolving a server to connect to can be as simple as running a single DNS "
+"query or can involve several steps, such as finding the correct site or "
+"trying out multiple host names in case some of the configured servers are "
+"not reachable. The more complex scenarios can take some time and SSSD needs "
+"to balance between providing enough time to finish the resolution process "
+"but on the other hand, not trying for too long before falling back to "
+"offline mode. If the SSSD debug logs show that the server resolution is "
+"timing out before a live server is contacted, you can consider changing the "
+"time outs."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term>
+#: include/failover.xml:76
+msgid "dns_resolver_server_timeout"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: include/failover.xml:80
+msgid ""
+"Time in milliseconds that sets how long would SSSD talk to a single DNS "
+"server before trying next one."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term>
+#: include/failover.xml:90
+msgid "dns_resolver_op_timeout"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: include/failover.xml:94
+msgid ""
+"Time in seconds to tell how long would SSSD try to resolve single DNS query "
+"(e.g. resolution of a hostname or an SRV record) before trying the next "
+"hostname or discovery domain."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term>
+#: include/failover.xml:106
+msgid "dns_resolver_timeout"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: include/failover.xml:110
+msgid ""
+"How long would SSSD try to resolve a failover service. This service "
+"resolution internally might include several steps, such as resolving DNS SRV "
+"queries or locating the site."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:67
+msgid ""
+"This section lists the available tunables. Please refer to their description "
+"in the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, manual page.  <placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/failover.xml:123
+msgid ""
+"For LDAP-based providers, the resolve operation is performed as part of an "
+"LDAP connection operation. Therefore, also the "
+"<quote>ldap_opt_timeout</quote> timeout should be set to a larger value than "
+"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger "
+"value than <quote>dns_resolver_op_timeout</quote> which should be larger "
+"than <quote>dns_resolver_server_timeout</quote>."
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ldap_id_mapping.xml:2
+msgid "ID MAPPING"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ldap_id_mapping.xml:4
+msgid ""
+"The ID-mapping feature allows SSSD to act as a client of Active Directory "
+"without requiring administrators to extend user attributes to support POSIX "
+"attributes for user and group identifiers."
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ldap_id_mapping.xml:9
+msgid ""
+"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are "
+"ignored. This is to avoid the possibility of conflicts between "
+"automatically-assigned and manually-assigned values. If you need to use "
+"manually-assigned values, ALL values must be manually-assigned."
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ldap_id_mapping.xml:16
+msgid ""
+"Please note that changing the ID mapping related configuration options will "
+"cause user and group IDs to change. At the moment, SSSD does not support "
+"changing IDs, so the SSSD database must be removed. Because cached passwords "
+"are also stored in the database, removing the database should only be "
+"performed while the authentication servers are reachable, otherwise users "
+"might get locked out. In order to cache the password, an authentication must "
+"be performed. It is not sufficient to use <citerefentry> "
+"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry> to remove the database, rather the process consists of:"
+msgstr ""
+
+#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:33
+msgid "Making sure the remote servers are reachable"
+msgstr ""
+
+#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:38
+msgid "Stopping the SSSD service"
+msgstr ""
+
+#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:43
+msgid "Removing the database"
+msgstr ""
+
+#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:48
+msgid "Starting the SSSD service"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ldap_id_mapping.xml:52
+msgid ""
+"Moreover, as the change of IDs might necessitate the adjustment of other "
+"system properties such as file and directory ownership, it's advisable to "
+"plan ahead and test the ID mapping configuration thoroughly."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ldap_id_mapping.xml:59
+msgid "Mapping Algorithm"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:61
+msgid ""
+"Active Directory provides an objectSID for every user and group object in "
+"the directory. This objectSID can be broken up into components that "
+"represent the Active Directory domain identity and the relative identifier "
+"(RID) of the user or group object."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:67
+msgid ""
+"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it "
+"into equally-sized component sections - called \"slices\". Each slice "
+"represents the space available to an Active Directory domain."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:73
+msgid ""
+"When a user or group entry for a particular domain is encountered for the "
+"first time, the SSSD allocates one of the available slices for that "
+"domain. In order to make this slice-assignment repeatable on different "
+"client machines, we select the slice based on the following algorithm:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:80
+msgid ""
+"The SID string is passed through the murmurhash3 algorithm to convert it to "
+"a 32-bit hashed value. We then take the modulus of this value with the total "
+"number of available slices to pick the slice."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:86
+msgid ""
+"NOTE: It is possible to encounter collisions in the hash and subsequent "
+"modulus. In these situations, we will select the next available slice, but "
+"it may not be possible to reproduce the same exact set of slices on other "
+"machines (since the order that they are encountered will determine their "
+"slice). In this situation, it is recommended to either switch to using "
+"explicit POSIX attributes in Active Directory (disabling ID-mapping) or "
+"configure a default domain to guarantee that at least one is always "
+"consistent. See <quote>Configuration</quote> for details."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:101
+msgid "Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><programlisting>
+#: include/ldap_id_mapping.xml:106
+#, no-wrap
+msgid ""
+"ldap_id_mapping = True\n"
+"ldap_schema = ad\n"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:111
+msgid ""
+"The default configuration results in configuring 10,000 slices, each capable "
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><title>
+#: include/ldap_id_mapping.xml:117
+msgid "Advanced Configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+#: include/ldap_id_mapping.xml:120
+msgid "ldap_idmap_range_min (integer)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:123
+msgid ""
+"Specifies the lower (inclusive) bound of the range of POSIX IDs to use for "
+"mapping Active Directory user and group SIDs. It is the first POSIX ID which "
+"can be used for the mapping."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:129
+msgid ""
+"NOTE: This option is different from <quote>min_id</quote> in that "
+"<quote>min_id</quote> acts to filter the output of requests to this domain, "
+"whereas this option controls the range of ID assignment. This is a subtle "
+"distinction, but the good general advice would be to have "
+"<quote>min_id</quote> be less-than or equal to "
+"<quote>ldap_idmap_range_min</quote>"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+#: include/ldap_id_mapping.xml:144
+msgid "ldap_idmap_range_max (integer)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:147
+msgid ""
+"Specifies the upper (exclusive) bound of the range of POSIX IDs to use for "
+"mapping Active Directory user and group SIDs. It is the first POSIX ID which "
+"cannot be used for the mapping anymore, i.e. one larger than the last one "
+"which can be used for the mapping."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:155
+msgid ""
+"NOTE: This option is different from <quote>max_id</quote> in that "
+"<quote>max_id</quote> acts to filter the output of requests to this domain, "
+"whereas this option controls the range of ID assignment. This is a subtle "
+"distinction, but the good general advice would be to have "
+"<quote>max_id</quote> be greater-than or equal to "
+"<quote>ldap_idmap_range_max</quote>"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+#: include/ldap_id_mapping.xml:170
+msgid "ldap_idmap_range_size (integer)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:173
+msgid ""
+"Specifies the number of IDs available for each slice.  If the range size "
+"does not divide evenly into the min and max values, it will create as many "
+"complete slices as it can."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:179
+msgid ""
+"NOTE: The value of this option must be at least as large as the highest user "
+"RID planned for use on the Active Directory server. User lookups and login "
+"will fail for any user whose RID is greater than this value."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:185
+msgid ""
+"For example, if your most recently-added Active Directory user has "
+"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, "
+"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is "
+"equal to maximal RID minus minimal RID plus one (e.g. 1108 = 1107 - 0 + 1)."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:192
+msgid ""
+"It is important to plan ahead for future expansion, as changing this value "
+"will result in changing all of the ID mappings on the system, leading to "
+"users with different local IDs than they previously had."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+#: include/ldap_id_mapping.xml:202
+msgid "ldap_idmap_default_domain_sid (string)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:205
+msgid ""
+"Specify the domain SID of the default domain. This will guarantee that this "
+"domain will always be assigned to slice zero in the ID map, bypassing the "
+"murmurhash algorithm described above."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+#: include/ldap_id_mapping.xml:216
+msgid "ldap_idmap_default_domain (string)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:219
+msgid "Specify the name of the default domain."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+#: include/ldap_id_mapping.xml:227
+msgid "ldap_idmap_autorid_compat (boolean)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:230
+msgid ""
+"Changes the behavior of the ID-mapping algorithm to behave more similarly to "
+"winbind's <quote>idmap_autorid</quote> algorithm."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:235
+msgid ""
+"When this option is configured, domains will be allocated starting with "
+"slice zero and increasing monotonically with each additional domain."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:240
+msgid ""
+"NOTE: This algorithm is non-deterministic (it depends on the order that "
+"users and groups are requested). If this mode is required for compatibility "
+"with machines running winbind, it is recommended to also use the "
+"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at "
+"least one domain is consistently allocated to slice zero."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
+#: include/ldap_id_mapping.xml:255
+msgid "ldap_idmap_helper_table_size (integer)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:258
+msgid ""
+"Maximal number of secondary slices that is tried when performing mapping "
+"from UNIX id to SID."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
+#: include/ldap_id_mapping.xml:262
+msgid ""
+"Note: Additional secondary slices might be generated when SID is being "
+"mapped to UNIX id and RID part of SID is out of range for secondary slices "
+"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 "
+"then no additional secondary slices are generated."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ldap_id_mapping.xml:279
+msgid "Well-Known SIDs"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:281
+msgid ""
+"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a "
+"special hardcoded meaning. Since the generic users and groups related to "
+"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no "
+"POSIX IDs are available for those objects."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:287
+msgid ""
+"The SID name space is organized in authorities which can be seen as "
+"different domains. The authorities for the Well-Known SIDs are"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:290
+msgid "Null Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:291
+msgid "World Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:292
+msgid "Local Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:293
+msgid "Creator Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:294
+msgid "Mandatory Label Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:295
+msgid "Authentication Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:296
+msgid "NT Authority"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
+#: include/ldap_id_mapping.xml:297
+msgid "Built-in"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:299
+msgid ""
+"The capitalized version of these names are used as domain names when "
+"returning the fully qualified name of a Well-Known SID."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><para>
+#: include/ldap_id_mapping.xml:303
+msgid ""
+"Since some utilities allow to modify SID based access control information "
+"with the help of a name instead of using the SID directly SSSD supports to "
+"look up the SID by the name as well. To avoid collisions only the fully "
+"qualified names can be used to look up Well-Known SIDs. As a result the "
+"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
+"<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, "
+"<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION "
+"AUTHORITY</quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> "
+"should not be used as domain names in <filename>sssd.conf</filename>."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help.xml:3
+msgid "<option>-?</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/param_help.xml:7 include/param_help_py.xml:7
+msgid "Display help message and exit."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/param_help_py.xml:3
+msgid "<option>-h</option>,<option>--help</option>"
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
+msgid ""
+"SSSD supports two representations for specifying the debug level. The "
+"simplest is to specify a decimal value from 0-9, which represents enabling "
+"that level and all lower-level debug messages. The more comprehensive option "
+"is to specify a hexadecimal bitmask to enable or disable specific levels "
+"(such as if you wish to suppress a level)."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:10
+msgid ""
+"Please note that each SSSD service logs into its own log file. Also please "
+"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> "
+"section only enables debugging just for the sssd process itself, not for the "
+"responder or provider processes. The <quote>debug_level</quote> parameter "
+"should be added to all sections that you wish to produce debug logs from."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:18
+msgid ""
+"In addition to changing the log level in the config file using the "
+"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD "
+"restart, it is also possible to change the debug level on the fly using the "
+"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> tool."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
+msgid "Currently supported debug levels:"
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
+msgid ""
+"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal "
+"failures. Anything that would prevent SSSD from starting up or causes it to "
+"cease running."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
+msgid ""
+"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
+msgid ""
+"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
+"error announcing that a particular request or operation has failed."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
+msgid ""
+"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
+"are the errors that would percolate down to cause the operation failure of "
+"2."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
+msgid "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
+msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
+msgid ""
+"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
+"operation functions."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
+msgid ""
+"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
+"internal control functions."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
+msgid ""
+"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of "
+"function-internal variables that may be interesting."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
+msgid ""
+"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
+"tracing information."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:81
+msgid ""
+"<emphasis>9</emphasis>, <emphasis>0x20000</emphasis>: Performance and "
+"statistical data, please note that due to the way requests are processed "
+"internally the logged execution time of a request might be longer than it "
+"actually was."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:88 include/debug_levels_tools.xml:62
+msgid ""
+"<emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level "
+"libldb tracing information. Almost never really required."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:93 include/debug_levels_tools.xml:67
+msgid ""
+"To log required bitmask debug levels, simply add their numbers together as "
+"shown in following examples:"
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:97 include/debug_levels_tools.xml:71
+msgid ""
+"<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
+"serious failures and function data use 0x0270."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:101 include/debug_levels_tools.xml:75
+msgid ""
+"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
+"function data, trace messages for internal control functions use 0x1310."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:106 include/debug_levels_tools.xml:80
+msgid ""
+"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
+"in 1.7.0."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/debug_levels.xml:110 include/debug_levels_tools.xml:84
+msgid ""
+"<emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious "
+"failures; corresponds to setting 2 in decimal notation)"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/local.xml:2
+msgid "THE LOCAL DOMAIN"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/local.xml:4
+msgid ""
+"In order to function correctly, a domain with "
+"<quote>id_provider=local</quote> must be created and the SSSD must be "
+"running."
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/local.xml:9
+msgid ""
+"The administrator might want to use the SSSD local users instead of "
+"traditional UNIX users in cases where the group nesting (see <citerefentry> "
+"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>) is needed. The local users are also useful for testing and "
+"development of the SSSD without having to deploy a full remote server. The "
+"<command>sss_user*</command> and <command>sss_group*</command> tools use a "
+"local LDB storage to store users and groups."
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/seealso.xml:4
+msgid ""
+"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> "
+"</citerefentry>, <phrase condition=\"with_idp_provider\"> <citerefentry> "
+"<refentrytitle>sssd-idp</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>, </phrase> <phrase condition=\"with_sudo\"> <citerefentry> "
+"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>, </phrase> <citerefentry> "
+"<refentrytitle>sssd-session-recording</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> "
+"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> "
+"<manvolnum>1</manvolnum> </citerefentry>, <citerefentry> "
+"<refentrytitle>sss_ssh_knownhosts</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry>, </phrase> <citerefentry> "
+"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry>, <citerefentry> "
+"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> "
+"</citerefentry>.  <citerefentry> "
+"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> <phrase condition=\"with_stap\"> <citerefentry> "
+"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> </phrase>"
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/ldap_search_bases.xml:3
+msgid ""
+"An optional base DN, search scope and LDAP filter to restrict LDAP searches "
+"for this attribute type."
+msgstr ""
+
+#. type: Content of: <listitem><para><programlisting>
+#: include/ldap_search_bases.xml:9
+#, no-wrap
+msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n"
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/ldap_search_bases.xml:7
+msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/ldap_search_bases.xml:13
+msgid ""
+"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope "
+"functions as specified in section 4.5.1.2 of "
+"http://tools.ietf.org/html/rfc4511"
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/ldap_search_bases.xml:23
+msgid ""
+"For examples of this syntax, please refer to the "
+"<quote>ldap_search_base</quote> examples section."
+msgstr ""
+
+#. type: Content of: <listitem><para>
+#: include/ldap_search_bases.xml:31
+msgid ""
+"Please note that specifying scope or filter is not supported for searches "
+"against an Active Directory Server that might yield a large number of "
+"results and trigger the Range Retrieval extension in the response."
+msgstr ""
+
+#. type: Content of: <para>
+#: include/autofs_restart.xml:2
+msgid ""
+"Please note that the automounter only reads the master map on startup, so if "
+"any autofs-related changes are made to the sssd.conf, you typically also "
+"need to restart the automounter daemon after restarting the SSSD."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/override_homedir.xml:2
+msgid "override_homedir (string)"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:16
+msgid "UID number"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:20
+msgid "domain name"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: include/override_homedir.xml:23
+msgid "%f"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:24
+msgid "fully qualified user name (user@domain)"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: include/override_homedir.xml:27
+msgid "%l"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:28
+msgid "The first letter of the login name."
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:32
+msgid "UPN - User Principal Name (name@REALM)"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: include/override_homedir.xml:35
+msgid "%o"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:38
+msgid "The homedir value that is defined in the directory of the identity provider."
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:42
+msgid ""
+"This substitution is designed to be used in an IPA-AD trust scenario. If "
+"this substitution is used for the <emphasis>subdomain_homedir</emphasis> "
+"option, it propagates the home directory value from the AD domain to the IPA "
+"clients. In this scenario, the option must be set in the SSSD configuration "
+"on the IPA server where SSSD is running in server mode."
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:55
+msgid ""
+"The path defined for the homedir directory attribute of the identity "
+"provider, but in lower case.  For details of use, see "
+"<emphasis>%o</emphasis>."
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
+#: include/override_homedir.xml:61
+msgid "%H"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: include/override_homedir.xml:63
+msgid "The value of configure option <emphasis>homedir_substring</emphasis>."
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/override_homedir.xml:5
+msgid ""
+"Override the user's home directory. You can either provide an absolute value "
+"or a template. In the template, the following sequences are substituted: "
+"<placeholder type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/override_homedir.xml:75
+msgid "This option can also be set per-domain."
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para><programlisting>
+#: include/override_homedir.xml:80
+#, no-wrap
+msgid ""
+"override_homedir = /home/%u\n"
+"        "
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/override_homedir.xml:84
+msgid "Default: Not set (SSSD will use the value retrieved from LDAP)"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/override_homedir.xml:88
+msgid ""
+"Please note, the home directory from a specific override for the user, "
+"either locally (see "
+"<citerefentry><refentrytitle>sss_override</refentrytitle> "
+"<manvolnum>8</manvolnum></citerefentry>) or centrally managed IPA "
+"id-overrides, has a higher precedence and will be used instead of the value "
+"given by override_homedir."
+msgstr ""
+
+#. type: Content of: <varlistentry><term>
+#: include/homedir_substring.xml:2
+msgid "homedir_substring (string)"
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/homedir_substring.xml:5
+msgid ""
+"The value of this option will be used in the expansion of the "
+"<emphasis>override_homedir</emphasis> option if the template contains the "
+"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly "
+"contain this template so that this option can be used to expand the home "
+"directory path for each client machine (or operating system). It can be set "
+"per-domain or globally in the [nss] section. A value specified in a domain "
+"section will override one set in the [nss] section."
+msgstr ""
+
+#. type: Content of: <varlistentry><listitem><para>
+#: include/homedir_substring.xml:15
+msgid "Default: /home"
+msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSS-SPNEGO"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:63
+msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:66
+msgid ""
+"The AD provider looks for a different principal than the LDAP provider by "
+"default, because in an Active Directory environment the principals are "
+"divided into two groups - User Principals and Service Principals. Only User "
+"Principal can be used to obtain a TGT and by default, computer object's "
+"principal is constructed from its sAMAccountName and the AD realm. The "
+"well-known host/hostname@REALM principal is a Service Principal and thus "
+"cannot be used to get a TGT with."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:80
+msgid "NSS configuration"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:84
+msgid "fallback_homedir = /home/%d/%u"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:87
+msgid ""
+"The AD provider automatically sets \"fallback_homedir = /home/%d/%u\" to "
+"provide personal home directories for users without the homeDirectory "
+"attribute. If your AD Domain is properly populated with Posix attributes, "
+"and you want to avoid this fallback behavior, you can explicitly set "
+"\"fallback_homedir = %o\"."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:96
+msgid ""
+"Note that the system typically expects a home directory in /home/%u "
+"folder. If you decide to use a different directory structure, some other "
+"parts of your system may need adjustments."
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:102
+msgid ""
+"For example automated creation of home directories in combination with "
+"selinux requires selinux adjustment, otherwise the home directory will be "
+"created with wrong selinux context."
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:89
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:93
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/krb5_options.xml:3
+msgid "krb5_auth_timeout (integer)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:6
+msgid ""
+"Timeout in seconds after an online authentication request or change password "
+"request is aborted. If possible, the authentication request is continued "
+"offline."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/krb5_options.xml:17
+msgid "krb5_validate (boolean)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:20
+msgid ""
+"Verify with the help of krb5_keytab that the TGT obtained has not been "
+"spoofed. The keytab is checked for entries sequentially, and the first entry "
+"with a matching realm is used for validation. If no entry matches the realm, "
+"the last entry in the keytab is used. This process can be used to validate "
+"environments using cross-realm trust by placing the appropriate keytab entry "
+"as the last entry or the only entry in the keytab file."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:29
+msgid "Default: false (IPA and AD provider: true)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:32
+msgid ""
+"Please note that the ticket validation is the first step when checking the "
+"PAC (see 'pac_check' in the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page for details). If ticket validation is disabled "
+"the PAC checks will be skipped as well."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/krb5_options.xml:44
+msgid "krb5_renewable_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:47
+msgid ""
+"Request a renewable ticket with a total lifetime, given as an integer "
+"immediately followed by a time unit:"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:52 include/krb5_options.xml:86
+#: include/krb5_options.xml:123
+msgid "<emphasis>s</emphasis> for seconds"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:55 include/krb5_options.xml:89
+#: include/krb5_options.xml:126
+msgid "<emphasis>m</emphasis> for minutes"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:58 include/krb5_options.xml:92
+#: include/krb5_options.xml:129
+msgid "<emphasis>h</emphasis> for hours"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:61 include/krb5_options.xml:95
+#: include/krb5_options.xml:132
+msgid "<emphasis>d</emphasis> for days."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:64 include/krb5_options.xml:135
+msgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:68 include/krb5_options.xml:139
+msgid ""
+"NOTE: It is not possible to mix units.  To set the renewable lifetime to one "
+"and a half hours, use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:73
+msgid "Default: not set, i.e. the TGT is not renewable"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/krb5_options.xml:79
+msgid "krb5_lifetime (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:82
+msgid ""
+"Request ticket with a lifetime, given as an integer immediately followed by "
+"a time unit:"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:98
+msgid "If there is no unit given <emphasis>s</emphasis> is assumed."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:102
+msgid ""
+"NOTE: It is not possible to mix units.  To set the lifetime to one and a "
+"half hours please use '90m' instead of '1h30m'."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:107
+msgid "Default: not set, i.e. the default ticket lifetime configured on the KDC."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><term>
+#: include/krb5_options.xml:114
+msgid "krb5_renew_interval (string)"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:117
+msgid ""
+"The time in seconds between two checks if the TGT should be renewed. TGTs "
+"are renewed if about half of their lifetime is exceeded, given as an integer "
+"immediately followed by a time unit:"
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:144
+msgid "If this option is not set or is 0 the automatic renewal is disabled."
+msgstr ""
+
+#. type: Content of: <variablelist><varlistentry><listitem><para>
+#: include/krb5_options.xml:157
+msgid ""
+"Specifies if the host and user principal should be canonicalized. This "
+"feature is available with MIT Kerberos 1.7 and later versions."
+msgstr ""