We have to repeat the whole rule block, because our libc does not support
operator | in basic regexps.
See https://github.com/SSSD/sssd/pull/8227#issuecomment-3567972723

--- src/config/cfg_rules.ini.orig	2026-01-14 15:01:42 UTC
+++ src/config/cfg_rules.ini
@@ -340,7 +340,464 @@ validator = ini_allowed_options
 
 [rule/allowed_domain_options]
 validator = ini_allowed_options
-section_re = ^\(domain\|application\)/[^/]\{1,\}$
+section_re = ^domain/[^/]\{1,\}$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = fd_limit
+option = client_idle_timeout
+option = description
+
+#Available provider types
+option = id_provider
+option = auth_provider
+option = access_provider
+option = chpass_provider
+option = sudo_provider
+option = autofs_provider
+option = hostid_provider
+option = subdomains_provider
+option = selinux_provider
+option = session_provider
+option = resolver_provider
+
+# Options available to all domains
+option = enabled
+option = domain_type
+option = min_id
+option = max_id
+option = timeout
+option = enumerate
+option = offline_timeout
+option = offline_timeout_max
+option = offline_timeout_random_offset
+option = cache_credentials
+option = cache_credentials_minimal_first_factor_length
+option = use_fully_qualified_names
+option = ignore_group_members
+option = entry_cache_timeout
+option = lookup_family_order
+option = account_cache_expiration
+option = pwd_expiration_warning
+option = filter_users
+option = filter_groups
+option = dns_resolver_server_timeout
+option = dns_resolver_op_timeout
+option = dns_resolver_timeout
+option = dns_resolver_use_search_list
+option = dns_discovery_domain
+option = failover_primary_timeout
+option = override_gid
+option = case_sensitive
+option = override_homedir
+option = fallback_homedir
+option = homedir_substring
+option = override_shell
+option = default_shell
+option = description
+option = realmd_tags
+option = subdomain_refresh_interval
+option = subdomain_refresh_interval_offset
+option = subdomain_inherit
+option = subdomain_homedir
+option = cached_auth_timeout
+option = wildcard_limit
+option = full_name_format
+option = re_expression
+option = auto_private_groups
+option = pam_gssapi_services
+option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
+option = local_auth_policy
+
+#Entry cache timeouts
+option = entry_cache_user_timeout
+option = entry_cache_group_timeout
+option = entry_cache_netgroup_timeout
+option = entry_cache_service_timeout
+option = entry_cache_autofs_timeout
+option = entry_cache_sudo_timeout
+option = entry_cache_ssh_host_timeout
+option = entry_cache_computer_timeout
+option = entry_cache_resolver_timeout
+option = refresh_expired_interval
+option = refresh_expired_interval_offset
+
+# Dynamic DNS updates
+option = dyndns_update
+option = dyndns_update_per_family
+option = dyndns_ttl
+option = dyndns_iface
+option = dyndns_address
+option = dyndns_refresh_interval
+option = dyndns_refresh_interval_offset
+option = dyndns_update_ptr
+option = dyndns_force_tcp
+option = dyndns_auth
+option = dyndns_auth_ptr
+option = dyndns_server
+option = dyndns_dot_cacert
+option = dyndns_dot_cert
+option = dyndns_dot_key
+
+# proxy provider specific options
+option = proxy_lib_name
+option = proxy_resolver_lib_name
+option = proxy_fast_alias
+option = proxy_pam_target
+option = proxy_max_children
+
+# simple access provider specific options
+option = simple_allow_users
+option = simple_deny_users
+option = simple_allow_groups
+option = simple_deny_groups
+
+# AD provider specific options
+option = ad_access_filter
+option = ad_backup_server
+option = ad_domain
+option = ad_enable_dns_sites
+option = ad_enabled_domains
+option = ad_enable_gc
+option = ad_gpo_access_control
+option = ad_gpo_implicit_deny
+option = ad_gpo_ignore_unreadable
+option = ad_gpo_cache_timeout
+option = ad_gpo_default_right
+option = ad_gpo_map_batch
+option = ad_gpo_map_deny
+option = ad_gpo_map_interactive
+option = ad_gpo_map_network
+option = ad_gpo_map_permit
+option = ad_gpo_map_remote_interactive
+option = ad_gpo_map_service
+option = ad_hostname
+option = ad_machine_account_password_renewal_opts
+option = ad_maximum_machine_account_password_age
+option = ad_server
+option = ad_site
+option = ad_update_samba_machine_account_password
+option = ad_use_ldaps
+
+# IPA provider specific options
+option = ipa_access_order
+option = ipa_anchor_uuid
+option = ipa_automount_location
+option = ipa_backup_server
+option = ipa_deskprofile_refresh
+option = ipa_deskprofile_request_interval
+option = ipa_deskprofile_search_base
+option = ipa_subid_ranges_search_base
+option = ipa_domain
+option = ipa_group_override_object_class
+option = ipa_hbac_refresh
+option = ipa_hbac_search_base
+option = ipa_hbac_support_srchost
+option = ipa_host_fqdn
+option = ipa_hostgroup_memberof
+option = ipa_hostgroup_member
+option = ipa_hostgroup_name
+option = ipa_hostgroup_objectclass
+option = ipa_hostgroup_uuid
+option = ipa_host_member_of
+option = ipa_host_name
+option = ipa_hostname
+option = ipa_host_object_class
+option = ipa_host_search_base
+option = ipa_host_serverhostname
+option = ipa_host_ssh_public_key
+option = ipa_host_uuid
+option = ipa_master_domain_search_base
+option = ipa_netgroup_domain
+option = ipa_netgroup_member_ext_host
+option = ipa_netgroup_member_host
+option = ipa_netgroup_member_of
+option = ipa_netgroup_member
+option = ipa_netgroup_member_user
+option = ipa_netgroup_name
+option = ipa_netgroup_object_class
+option = ipa_netgroup_uuid
+option = ipa_override_object_class
+option = ipa_ranges_search_base
+option = ipa_selinux_refresh
+option = ipa_selinux_usermap_enabled
+option = ipa_selinux_usermap_host_category
+option = ipa_selinux_usermap_member_host
+option = ipa_selinux_usermap_member_user
+option = ipa_selinux_usermap_name
+option = ipa_selinux_usermap_object_class
+option = ipa_selinux_usermap_see_also
+option = ipa_selinux_usermap_selinux_user
+option = ipa_selinux_usermap_user_category
+option = ipa_selinux_usermap_uuid
+option = ipa_server_mode
+option = ipa_server
+option = ipa_subdomains_search_base
+option = ipa_sudocmdgroup_entry_usn
+option = ipa_sudocmdgroup_member
+option = ipa_sudocmdgroup_name
+option = ipa_sudocmdgroup_object_class
+option = ipa_sudocmdgroup_uuid
+option = ipa_sudocmd_memberof
+option = ipa_sudocmd_object_class
+option = ipa_sudocmd_sudoCmd
+option = ipa_sudocmd_uuid
+option = ipa_sudorule_allowcmd
+option = ipa_sudorule_cmdcategory
+option = ipa_sudorule_denycmd
+option = ipa_sudorule_enabled_flag
+option = ipa_sudorule_entry_usn
+option = ipa_sudorule_externaluser
+option = ipa_sudorule_hostcategory
+option = ipa_sudorule_host
+option = ipa_sudorule_name
+option = ipa_sudorule_notafter
+option = ipa_sudorule_notbefore
+option = ipa_sudorule_object_class
+option = ipa_sudorule_option
+option = ipa_sudorule_runasextgroup
+option = ipa_sudorule_runasextusergroup
+option = ipa_sudorule_runasextuser
+option = ipa_sudorule_runasgroupcategory
+option = ipa_sudorule_runasgroup
+option = ipa_sudorule_runasusercategory
+option = ipa_sudorule_sudoorder
+option = ipa_sudorule_usercategory
+option = ipa_sudorule_user
+option = ipa_sudorule_uuid
+option = ipa_user_override_object_class
+option = ipa_view_class
+option = ipa_view_name
+option = ipa_views_search_base
+
+# krb5 provider specific options
+option = krb5_auth_timeout
+option = krb5_backup_kpasswd
+option = krb5_backup_server
+option = krb5_canonicalize
+option = krb5_ccachedir
+option = krb5_ccname_template
+option = krb5_confd_path
+option = krb5_fast_principal
+option = krb5_fast_use_anonymous_pkinit
+option = krb5_kdcinfo_lookahead
+option = krb5_kdcip
+option = krb5_keytab
+option = krb5_kpasswd
+option = krb5_lifetime
+option = krb5_map_user
+option = krb5_realm
+option = krb5_renewable_lifetime
+option = krb5_renew_interval
+option = krb5_server
+option = krb5_store_password_if_offline
+option = krb5_use_enterprise_principal
+option = krb5_use_subdomain_realm
+option = krb5_use_fast
+option = krb5_use_kdcinfo
+option = krb5_validate
+
+# ldap provider specific options
+option = ldap_access_filter
+option = ldap_access_order
+option = ldap_account_expire_policy
+option = ldap_autofs_entry_key
+option = ldap_autofs_entry_object_class
+option = ldap_autofs_entry_value
+option = ldap_autofs_map_master_name
+option = ldap_autofs_map_name
+option = ldap_autofs_map_object_class
+option = ldap_autofs_search_base
+option = ldap_backup_uri
+option = ldap_chpass_backup_uri
+option = ldap_chpass_dns_service_name
+option = ldap_chpass_update_last_change
+option = ldap_chpass_uri
+option = ldap_connection_expire_timeout
+option = ldap_connection_expire_offset
+option = ldap_connection_idle_timeout
+option = ldap_default_authtok
+option = ldap_default_authtok_type
+option = ldap_default_bind_dn
+option = ldap_deref
+option = ldap_deref_threshold
+option = ldap_ignore_unreadable_references
+option = ldap_disable_paging
+option = ldap_disable_range_retrieval
+option = ldap_dns_service_name
+option = ldap_entry_usn
+option = ldap_enumeration_refresh_timeout
+option = ldap_enumeration_refresh_offset
+option = ldap_enumeration_search_timeout
+option = ldap_force_upper_case_realm
+option = ldap_group_entry_usn
+option = ldap_group_external_member
+option = ldap_group_gid_number
+option = ldap_group_member
+option = ldap_group_modify_timestamp
+option = ldap_group_name
+option = ldap_group_nesting_level
+option = ldap_group_object_class
+option = ldap_group_objectsid
+option = ldap_group_search_base
+option = ldap_group_search_filter
+option = ldap_group_search_scope
+option = ldap_group_type
+option = ldap_group_uuid
+option = ldap_idmap_autorid_compat
+option = ldap_idmap_default_domain_sid
+option = ldap_idmap_default_domain
+option = ldap_idmap_helper_table_size
+option = ldap_id_mapping
+option = ldap_idmap_range_max
+option = ldap_idmap_range_min
+option = ldap_idmap_range_size
+option = ldap_id_use_start_tls
+option = ldap_krb5_init_creds
+option = ldap_krb5_keytab
+option = ldap_krb5_ticket_lifetime
+option = ldap_library_debug_level
+option = ldap_max_id
+option = ldap_min_id
+option = ldap_netgroup_member
+option = ldap_netgroup_modify_timestamp
+option = ldap_netgroup_name
+option = ldap_netgroup_object_class
+option = ldap_netgroup_search_base
+option = ldap_netgroup_triple
+option = ldap_network_timeout
+option = ldap_ns_account_lock
+option = ldap_offline_timeout
+option = ldap_opt_timeout
+option = ldap_page_size
+option = ldap_purge_cache_timeout
+option = ldap_purge_cache_offset
+option = ldap_pwd_attribute
+option = ldap_pwdlockout_dn
+option = ldap_pwd_policy
+option = ldap_read_rootdse
+option = ldap_referrals
+option = ldap_rfc2307_fallback_to_local_users
+option = ldap_rootdse_last_usn
+option = ldap_sasl_authid
+option = ldap_sasl_canonicalize
+option = ldap_sasl_mech
+option = ldap_sasl_minssf
+option = ldap_sasl_maxssf
+option = ldap_sasl_realm
+option = ldap_schema
+option = ldap_pwmodify_mode
+option = ldap_search_base
+option = ldap_search_timeout
+option = ldap_service_entry_usn
+option = ldap_service_name
+option = ldap_service_object_class
+option = ldap_service_port
+option = ldap_service_proto
+option = ldap_service_search_base
+option = ldap_sudo_full_refresh_interval
+option = ldap_sudo_hostnames
+option = ldap_sudo_include_netgroups
+option = ldap_sudo_include_regexp
+option = ldap_sudo_ip
+option = ldap_sudorule_command
+option = ldap_sudorule_host
+option = ldap_sudorule_name
+option = ldap_sudorule_notafter
+option = ldap_sudorule_notbefore
+option = ldap_sudorule_object_class
+option = ldap_sudorule_option
+option = ldap_sudorule_order
+option = ldap_sudorule_runasgroup
+option = ldap_sudorule_runas
+option = ldap_sudorule_runasuser
+option = ldap_sudorule_user
+option = ldap_sudo_search_base
+option = ldap_sudo_smart_refresh_interval
+option = ldap_sudo_random_offset
+option = ldap_sudo_use_host_filter
+option = ldap_tls_cacertdir
+option = ldap_tls_cacert
+option = ldap_tls_cert
+option = ldap_tls_cipher_suite
+option = ldap_tls_key
+option = ldap_tls_reqcert
+option = ldap_uri
+option = ldap_use_ppolicy
+option = ldap_ppolicy_pwd_change_threshold
+option = ldap_user_ad_account_expires
+option = ldap_user_ad_user_account_control
+option = ldap_user_authorized_host
+option = ldap_user_authorized_rhost
+option = ldap_user_authorized_service
+option = ldap_user_auth_type
+option = ldap_user_certificate
+option = ldap_user_email
+option = ldap_user_entry_usn
+option = ldap_user_extra_attrs
+option = ldap_user_fullname
+option = ldap_user_gecos
+option = ldap_user_gid_number
+option = ldap_user_home_directory
+option = ldap_user_krb_last_pwd_change
+option = ldap_user_krb_password_expiration
+option = ldap_user_member_of
+option = ldap_user_modify_timestamp
+option = ldap_user_name
+option = ldap_user_nds_login_allowed_time_map
+option = ldap_user_nds_login_disabled
+option = ldap_user_nds_login_expiration_time
+option = ldap_user_object_class
+option = ldap_user_objectsid
+option = ldap_user_passkey
+option = ldap_user_primary_group
+option = ldap_user_principal
+option = ldap_user_search_base
+option = ldap_user_search_filter
+option = ldap_user_search_scope
+option = ldap_user_shadow_expire
+option = ldap_user_shadow_flag
+option = ldap_user_shadow_inactive
+option = ldap_user_shadow_last_change
+option = ldap_user_shadow_max
+option = ldap_user_shadow_min
+option = ldap_user_shadow_warning
+option = ldap_user_shell
+option = ldap_user_ssh_public_key
+option = ldap_user_uid_number
+option = ldap_user_uuid
+option = ldap_use_tokengroups
+option = ldap_host_object_class
+option = ldap_host_name
+option = ldap_host_fqdn
+option = ldap_host_serverhostname
+option = ldap_host_member_of
+option = ldap_host_search_base
+option = ldap_host_ssh_public_key
+option = ldap_host_uuid
+option = ldap_iphost_search_base
+option = ldap_iphost_object_class
+option = ldap_iphost_name
+option = ldap_iphost_number
+option = ldap_iphost_entry_usn
+option = ldap_ipnetwork_search_base
+option = ldap_ipnetwork_object_class
+option = ldap_ipnetwork_name
+option = ldap_ipnetwork_number
+option = ldap_ipnetwork_entry_usn
+option = ldap_subid_ranges_search_base
+
+# For application domains
+option = inherit_from
+
+[rule/allowed_domain_options]
+validator = ini_allowed_options
+section_re = ^application/[^/]\{1,\}$
 
 option = debug
 option = debug_level