On 4/12/2016 7:56 PM, David Nelson wrote: > On 04/12/2016 09:51 AM, James Hogarth wrote: >> To the OP enumerate is always painful, I'd remove that for a start. > > This was my experience too, for what it's worth. When I first set up a > new system pointed at LDAP it was absurdly slow to authenticate. Setting > Enumerate to False in /etc/sssd/sssd.conf made all the difference. Hello, I had similar problem recently with Centos6 machine, which was in another country and had ~100ms latency to the LDAP server. When I did "id user", it took around 20 seconds. I did some debugging, and when the user was not a member of additional groups, it was much faster (5 seconds), but still slow. It seems that for each member of a group, the client did a query to the LDAP server. I put "ignore_group_members = true" in sssd.conf and now it's much faster. Can you try this? Regards,