On Пят, 29 ліс 2024, Richard Doerwaldt via sssd-users wrote:
I've configured sudo to use the ipa backend basically using the config ipa-client-install generated for me and it's mostly working.
However, when I configure sudo rules in FreeIPA with hostgroups containing a large amount of hosts, and I attempt to run sudo with an emptied sssd cache I get delays as sssd looks up the hosts in those netgroups, sometimes leading to timeouts when these lookups exceed ldap_search_timeout. I don't think looking up the hosts the netgroups should be required to evaluate the sudo rules.
SUDO does evaluate netgroups mentioned in the SUDO rules. So it needs to know that information. It uses innetgr(3) to request evaluation of the host's presence in the netgroup.
Basically, the flow is - collect SUDO rules (sssd) - provide SUDO rules to SUDO via SSSD plugin - SUDO performs rule evaluation - for each rule with a netgroup, a match is attempted via innetgr(3) call - innetgr(3) will ask all configured netgroup plugins in glibc for their data, including SSSD - SSSD will have to pull all netgroups that this host or a is a member of.
Configuring ignore_group_members=True unfortunately doesn't seem to help me here.
I don't think SSSD ignores membership for netgroups.