We've had problems with SSSD being slow sometimes, but not others, and there never seemed to be any obvious cause why, but I think I've tracked it down to problems with dereferencing. We do see errors about dereferencing in the log, but I didn't realize until now what it was referring to.

In theory, a search like this should give us the cn and objectclass of all members of the group, but I get only the attributes of the group itself. Whether I give the "-E 'deref=...'" or not I get the same output. Redacted output below:

ldapsearch [bind username and password stuff, etc] -E 'deref=uniqueMember:cn,objectclass' 'cn=Global System Administrators'
# extended LDIF
# LDAPv3
# base <[our base DN]> (default) with scope subtree
# filter: cn=Global System Administrators
# requesting: ALL
# with dereference control

# Global System Administrators, Groups, [our base DN]
dn: cn=Global System Administrators,ou=Groups,[our base DN]
control: false MIQAAAAA
uniqueMember: uid=user1,ou=Users,ou=[Office1],[our base DN]
uniqueMember: uid=user2,ou=Users,ou=[Office2],[our base DN]
uniqueMember: uid=user3,ou=Users,ou=[Office2],[our base DN]
uniqueMember: uid=user4,ou=Users,ou=[Office1],[our base DN]
objectClass: top
objectClass: groupofuniquenames
objectClass: posixgroup
cn: Global System Administrators
gidNumber: 1001002
description: Global System Administrators

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1