On Mon, Aug 13, 2012 at 10:16:49PM -0400, Mark London wrote:
  

Mark London wrote:
    

Hi - When our primary DNS is unreachable, SSSD with LDAP breaks,
or is incredibly slow.  I've traced it to the fact that several of
the LDAP timeout values are 6 seconds.  This is not long enough,
because the default DNS timeout failover is 5 seconds.  Incoming
SSH connections are impossible without increasing the LDAP timeout
value.  I'm not sure yet which is the critical setting, but I've
increased the following from 6 seconds to 30:
      

I found the dns_resolver_timeout variable and changed it from 5 seconds 1
second, but that didn't help.  I still see 5 second delays when
sdap_ldap_connect_callback_add is called.   It would be nice if  the
internal resolver had a cache!  Any other suggestions?  I'll be
happy to hack the code, if someone could give me any idea of what
needs to be fixed.  This situation has occurred several times over
the past few months, causing major problems.  Thanks.
    

I would recommend turning off the referral support:
    ldap_referrals = false

That should get rid of many reconnection attempts. We don't control name
resolution for referred servers and I suspect the resolution is done
internally in libldap.