(Apologies for the late reply.)
Thanks. I don't quite understand the sudo side of things here.. I had a look at the FreeIPA LDAP and sssd log and it looks like sssd performs a quick LDAP query which retrieves all the relevant sudo rules for the host it's running on at startup. I don't quite see the need for then looking up all the members of a potentially large netgroup. I do not get the same kind of delay when evaluating HBAC rules referring to the same large hostgroup for example. If I don't have sudo rules explicitly referencing netgroups could I then disable the netgroup functionality entirely or is it required for sudo rules matching hostgroups? Is there any way to use LDAP sudo rules with FreeIPA instead?