diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,14 +1,21 @@
 # Change Log
 
-## [v3.3.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.3.0) (2019-05-23)
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.2.0...v3.3.0)
+## [v3.3.1](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.3.1) (2019-08-26)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.3.0...v3.3.1)
 
 **Closed issues:**
 
 - Add support for SLES 15 [\#210](https://github.com/ghoneycutt/puppet-module-pam/issues/210)
 
 **Merged pull requests:**
 
+- Fixed a compatibility issue that effects listsep changes [\#215](https://github.com/ghoneycutt/puppet-module-pam/pull/215) ([mears148](https://github.com/mears148))
+
+## [v3.3.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v3.3.0) (2019-05-23)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v3.2.0...v3.3.0)
+
+**Merged pull requests:**
+
 - GH-210 Add support for SLES 15 [\#212](https://github.com/ghoneycutt/puppet-module-pam/pull/212) ([ph84172](https://github.com/ph84172))
 - Simplify gemfile [\#209](https://github.com/ghoneycutt/puppet-module-pam/pull/209) ([ghoneycutt](https://github.com/ghoneycutt))
 - Update json requirement from ~\> 2.1.0 to ~\> 2.2.0 [\#208](https://github.com/ghoneycutt/puppet-module-pam/pull/208) ([dependabot-preview[bot]](https://github.com/apps/dependabot-preview))

diff --git a/README.md b/README.md
@@ -75,12 +75,12 @@ This would create `/etc/security/access.conf` with the following content.
 #
 
 # allow only the groups listed
-+ : root : ALL
-+ : ops : ALL
-+ : devs : ALL
++:root:ALL
++:ops:ALL
++:devs:ALL
 
 # default deny
-- : ALL : ALL
+-:ALL:ALL
 ```
 
 ##### Example using a hash
@@ -104,12 +104,12 @@ This would create `/etc/security/access.conf` with the following content.
 #
 
 #allow only the groups listed
-+ : username : ALL
-+ : username1 : cron tty0
-+ : username2 : tty1
++:username:ALL
++:username1:cron tty0
++:username2:tty1
 
 # default deny
-- : ALL : ALL
+-:ALL:ALL
 ```
 
 #### Setting limits
@@ -169,9 +169,20 @@ versions 5 and 6 with the Ruby version associated with those releases.
 Please see `.travis.yml` for a full matrix of supported versions. This
 module aims to support the current and previous major Puppet versions.
 
- * EL 5
  * EL 6
  * EL 7
+ * Debian 8
+ * Debian 9
+ * Ubuntu 14.04 LTS
+ * Ubuntu 16.04 LTS
+ * Ubuntu 18.04 LTS
+
+### May work
+
+These platforms have spec tests and have been verified in the past,
+though are not functionally tested and formally supported.
+
+ * EL 5
  * Solaris 9
  * Solaris 10
  * Solaris 11
@@ -181,13 +192,8 @@ module aims to support the current and previous major Puppet versions.
  * Suse 12
  * Suse 15
  * OpenSuSE 13.1
- * Ubuntu 12.04 LTS
- * Ubuntu 14.04 LTS
- * Ubuntu 16.04 LTS
- * Ubuntu 18.04 LTS
  * Debian 7
- * Debian 8
- * Debian 9
+ * Ubuntu 12.04 LTS
 
 ## Development
 

diff --git a/examples/hiera/sssd/RedHat-7-AD.yaml b/examples/hiera/sssd/RedHat-7-AD.yaml
@@ -0,0 +1,71 @@
+---
+## nsswitch configuration required for use with sssd
+nsswitch::passwd: 'files sss'
+nsswitch::shadow: 'files sss'
+nsswitch::group: 'files sss'
+nsswitch::services: 'files sss'
+nsswitch::netgroup: 'files sss'
+nsswitch::automount: 'files sss'
+pam::allowed_users: 
+  - (Domain Users) # This is an example of an AD group that would not work without the pam_access module line below due to the space not being permitted using default line seperators
+
+# PAM Customized for use with sssd
+pam::pam_auth_lines:
+  - '# Managed by Hiera key pam::pam_auth_lines'
+  - 'auth        required      pam_env.so'
+  - 'auth        sufficient    pam_fprintd.so'
+  - 'auth        sufficient    pam_unix.so nullok try_first_pass'
+  - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
+  - 'auth        sufficient    pam_sss.so use_first_pass'
+  - 'auth        required      pam_deny.so'
+pam::pam_account_lines:
+  - '# Managed by Hiera key pam::pam_account_lines'
+  - 'account     required      pam_access.so listsep=,' # This line will integrate access control that is compatible with AD groups containing spaces (ex. 'Domain Users')
+  - 'account     required      pam_unix.so'
+  - 'account     sufficient    pam_localuser.so'
+  - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
+  - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
+  - 'account     required      pam_permit.so'
+pam::pam_password_lines:
+  - '# Managed by Hiera key pam::pam_password_lines'
+  - 'password    requisite     pam_cracklib.so try_first_pass retry=3 type='
+  - 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
+  - 'password    sufficient    pam_sss.so use_authtok'
+  - 'password    required      pam_deny.so'
+pam::pam_session_lines:
+  - '# Managed by Hiera key pam::pam_session_lines'
+  - 'session     optional      pam_keyinit.so revoke'
+  - 'session     required      pam_limits.so'
+  - 'session     optional      pam_oddjob_mkhomedir.so umask=0077'
+  - 'session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required      pam_unix.so'
+  - 'session     optional      pam_sss.so'
+pam::pam_password_auth_lines:
+  - '# Managed by Hiera key pam::pam_password_auth_lines'
+  - 'auth        required      pam_env.so'
+  - 'auth        sufficient    pam_unix.so nullok try_first_pass'
+  - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
+  - 'auth        sufficient    pam_sss.so use_first_pass'
+  - 'auth        required      pam_deny.so'
+pam::pam_password_account_lines:
+  - '# Managed by Hiera key pam::pam_password_account_lines'
+  - 'account     required      pam_unix.so'
+  - 'account     sufficient    pam_localuser.so'
+  - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
+  - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
+  - 'account     required      pam_permit.so'
+pam::pam_password_password_lines:
+  - '# Managed by Hiera key pam::pam_password_password_lines'
+  - 'password    requisite     pam_cracklib.so try_first_pass retry=3 type='
+  - 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
+  - 'password    sufficient    pam_sss.so use_authtok'
+  - 'password    required      pam_deny.so'
+pam::pam_password_session_lines:
+  - '# Managed by Hiera key pam::pam_password_session_lines'
+  - 'session     optional      pam_keyinit.so revoke'
+  - 'session     required      pam_limits.so'
+  - 'session     optional      pam_oddjob_mkhomedir.so umask=0077'
+  - 'session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required      pam_unix.so'
+  - 'session     optional      pam_sss.so'
+
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "3.3.0",
+  "version": "3.3.1",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "description": "Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments",

diff --git a/spec/acceptance/00_pam_spec.rb b/spec/acceptance/00_pam_spec.rb
@@ -44,8 +44,8 @@
       it { should be_owned_by 'root' }
       it { should be_grouped_into 'root' }
       it { should be_mode 644 }
-      it { should contain('+ : root : ALL').before('- : ALL : ALL') }
-      it { should contain('- : ALL : ALL').after('\+ : root : ALL') }
+      it { should contain('+:root:ALL').before('-:ALL:ALL') }
+      it { should contain('-:ALL:ALL').after('\+:root:ALL') }
     end
 
     describe file('/etc/security/limits.conf') do

diff --git a/spec/classes/accesslogin_spec.rb b/spec/classes/accesslogin_spec.rb
@@ -13,10 +13,10 @@
       |#
       |
       |# allow only the groups listed
-      |+ : root : ALL
+      |+:root:ALL
       |
       |# default deny
-      |- : ALL : ALL
+      |-:ALL:ALL
     END
 
     it do
@@ -59,22 +59,22 @@
 
   context 'with allowed_users set to a valid string for one user' do
     let(:params) { {:allowed_users => 'tester'} }
-    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+ : tester : ALL\n\n# default deny}) }
+    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+:tester:ALL\n\n# default deny}) }
   end
 
   context 'with allowed_users set to a valid array for two users' do
     let(:params) { {:allowed_users => [ 'spec', 'tester' ] } }
-    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+ : spec : ALL\n\+ : tester : ALL\n\n# default deny}) }
+    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+:spec:ALL\n\+:tester:ALL\n\n# default deny}) }
   end
 
   context 'with allowed_users set to a valid hash for two users with specific origins' do
     let(:params) { {:allowed_users => { 'spec' => 'cron', 'tester' => [ 'cron', 'tty0' ] } } }
-    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+ : spec : cron\n\+ : tester : cron tty0\n\n# default deny}) }
+    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+:spec:cron\n\+:tester:cron tty0\n\n# default deny}) }
   end
 
   context 'with allowed_users set to a valid hash for one users without specific origins should default to <ALL>' do
     let(:params) { {:allowed_users => { 'tester' => {} } } }
-    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+ : tester : ALL\n\n# default deny}) }
+    it { should contain_file('access_conf').with_content(%r{^# allow only the groups listed\n\+:tester:ALL\n\n# default deny}) }
   end
 
   context 'with allowed_users set to a valid hash for five users with all possible cases' do
@@ -85,14 +85,14 @@
       |#
       |
       |# allow only the groups listed
-      |+ : user1 : tty5
-      |+ : user2 : cron tty0
-      |+ : user3 : cron
-      |+ : user4 : tty0
-      |+ : user5 : ALL
+      |+:user1:tty5
+      |+:user2:cron tty0
+      |+:user3:cron
+      |+:user4:tty0
+      |+:user5:ALL
       |
       |# default deny
-      |- : ALL : ALL
+      |-:ALL:ALL
     END
 
     it { should contain_file('access_conf').with_content(content) }

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -221,11 +221,11 @@
       |#
       |
       |# allow only the groups listed
-      |+ : user1 : cron tty0
-      |+ : user2 : test1 test2
+      |+:user1:cron tty0
+      |+:user2:test1 test2
       |
       |# default deny
-      |- : ALL : ALL
+      |-:ALL:ALL
     END
     it { should contain_file('access_conf').with_content(file_header + content) }
   end

diff --git a/templates/access.conf.erb b/templates/access.conf.erb
@@ -4,8 +4,8 @@
 
 # allow only the groups listed
 <% @allowed_users_hash.sort.each do |user, origin| -%>
-+ : <%= user %> : <%= origin %>
++:<%= user %>:<%= origin %>
 <% end -%>
 
 # default deny
-- : ALL : ALL
+-:ALL:ALL