On Fri, Nov 29, 2024 at 1:19 PM Richard Doerwaldt via sssd-users <sssd-users@lists.fedorahosted.org> wrote:
I've configured sudo to use the ipa backend basically using the config ipa-client-install generated for me and it's mostly working.

However, when I configure sudo rules in FreeIPA with hostgroups containing a large amount of hosts, and I attempt to run sudo with an emptied sssd cache I get delays as sssd looks up the hosts in those netgroups, sometimes leading to timeouts when these lookups exceed ldap_search_timeout.
I don't think looking up the hosts the netgroups should be required to evaluate the sudo rules.
Configuring ignore_group_members=True unfortunately doesn't seem to help me here.

Is there any way I can avoid sssd looking up these large netgroups?

(As was already explain) no,

but what is your DS version?

There was a performance issue in this area in old versions:
https://bugzilla.redhat.com/show_bug.cgi?id=1913199