diff --git a/security/sssd2/Makefile b/security/sssd2/Makefile
index 0706eb8..1d0ee61 100644
--- a/security/sssd2/Makefile
+++ b/security/sssd2/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	sssd
 PORTVERSION=	2.9.4
-PORTREVISION=	6
+PORTREVISION=	7
 CATEGORIES=	security
 PKGNAMESUFFIX=	2
 
diff --git a/security/sssd2/files/patch-src_config_cfg__rules.ini b/security/sssd2/files/patch-src_config_cfg__rules.ini
new file mode 100644
index 0000000..f6bc19e
--- /dev/null
+++ b/security/sssd2/files/patch-src_config_cfg__rules.ini
@@ -0,0 +1,77 @@
+--- src/config/cfg_rules.ini.orig	2024-04-24 13:37:15 UTC
++++ src/config/cfg_rules.ini
+@@ -11,15 +11,15 @@ section_re = ^prompting/password$
+ section = kcm
+ section = session_recording
+ section_re = ^prompting/password$
+-section_re = ^prompting/password/[^/\@]\+$
++section_re = ^prompting/password/[^/\@]+$
+ section_re = ^prompting/2fa$
+-section_re = ^prompting/2fa/[^/\@]\+$
++section_re = ^prompting/2fa/[^/\@]+$
+ section_re = ^prompting/passkey$
+-section_re = ^prompting/passkey/[^/\@]\+$
+-section_re = ^domain/[^/\@]\+$
+-section_re = ^domain/[^/\@]\+/[^/\@]\+$
+-section_re = ^application/[^/\@]\+$
+-section_re = ^certmap/[^/\@]\+/[^/\@]\+$
++section_re = ^prompting/passkey/[^/\@]+$
++section_re = ^domain/[^/\@]+$
++section_re = ^domain/[^/\@]+/[^/\@]+$
++section_re = ^application/[^/\@]+$
++section_re = ^certmap/[^/\@]+/[^/\@]+$
+ 
+ 
+ [rule/allowed_sssd_options]
+@@ -329,13 +329,13 @@ validator = ini_allowed_options
+ 
+ [rule/allowed_prompting_password_subsec_options]
+ validator = ini_allowed_options
+-section_re = ^prompting/password/[^/\@]\+$
++section_re = ^prompting/password/[^/\@]+$
+ 
+ option = password_prompt
+ 
+ [rule/allowed_prompting_2fa_subsec_options]
+ validator = ini_allowed_options
+-section_re = ^prompting/2fa/[^/\@]\+$
++section_re = ^prompting/2fa/[^/\@]+$
+ 
+ option = single_prompt
+ option = first_prompt
+@@ -343,7 +343,7 @@ validator = ini_allowed_options
+ 
+ [rule/allowed_prompting_passkey_subsec_options]
+ validator = ini_allowed_options
+-section_re = ^prompting/passkey/[^/\@]\+$
++section_re = ^prompting/passkey/[^/\@]+$
+ 
+ option = interactive
+ option = interactive_prompt
+@@ -352,7 +352,7 @@ validator = ini_allowed_options
+ 
+ [rule/allowed_domain_options]
+ validator = ini_allowed_options
+-section_re = ^\(domain\|application\)/[^/]\+$
++section_re = ^(domain|application)/[^/]+$
+ 
+ option = debug
+ option = debug_level
+@@ -810,7 +810,7 @@ validator = ini_allowed_options
+ 
+ [rule/allowed_subdomain_options]
+ validator = ini_allowed_options
+-section_re = ^domain/[^/\@]\+/[^/\@]\+$
++section_re = ^domain/[^/\@]+/[^/\@]+$
+ 
+ option = ldap_search_base
+ option = ldap_user_search_base
+@@ -832,7 +832,7 @@ validator = ini_allowed_options
+ 
+ [rule/allowed_certmap_options]
+ validator = ini_allowed_options
+-section_re = ^certmap/[^/\@]\+/[^/\@]\+$
++section_re = ^certmap/[^/\@]+/[^/\@]+$
+ 
+ option = matchrule
+ option = maprule