(Apologies for the late reply.)
Thanks. I don't quite understand the sudo side of things here.. I had a look at the FreeIPA LDAP and sssd log and it looks like sssd performs a quick LDAP query which retrieves all the relevant sudo rules for the host it's running on at startup. I don't quite see the need for then looking up all the members of a potentially large netgroup. I do not get the same kind of delay when evaluating HBAC rules referring to the same large hostgroup for example. If I don't have sudo rules explicitly referencing netgroups could I then disable the netgroup functionality entirely or is it required for sudo rules matching hostgroups? Is there any way to use LDAP sudo rules with FreeIPA instead? -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
