On Thu, Dec 19, 2013 at 06:48:41PM +0000, Chris Petty wrote:
Here is what was printed to the sssd_nss log at level 5 when i ran a
sudo command.
Also, the full sssd.conf that i am currently running on this machine.
-chris
Seems like there is a lot of requests coming in for groups-by-gid. I'm not
sure if these come from sudo or elsewhere, but group requests can can be
really slow if the groups are huge and/or nested.
Do you rely on the groups members being returned? If not, you could set:
ignore_group_members = True
From man sssd.conf:
ignore_group_members (bool)
Do not return group members for group lookups.
If set to TRUE, the group membership attribute is not requested
from the ldap server, and group members are not returned when
processing group lookup calls.
Default: FALSE
But this option is only available starting with RHEL 6.5, given you run
Scientific Linux, you might need to wait a bit (or rebuild the RHEL
SRPM yourself). Or alternatively try the custom RPMs I built a while
ago:
http://jhrozek.fedorapeople.org/sssd-test-builds/ignore-member/x86_64/