On 4/12/16 12:15 PM, Todor Petkov wrote: > > On 4/12/2016 7:56 PM, David Nelson wrote: >> On 04/12/2016 09:51 AM, James Hogarth wrote: >>> To the OP enumerate is always painful, I'd remove that for a start. >> This was my experience too, for what it's worth. When I first set up a >> new system pointed at LDAP it was absurdly slow to authenticate. Setting >> Enumerate to False in /etc/sssd/sssd.conf made all the difference. > Hello, > > I had similar problem recently with Centos6 machine, which was in > another country and had ~100ms latency to the LDAP server. > When I did "id user", it took around 20 seconds. I did some debugging, > and when the user was not a member of additional groups, it was much > faster (5 seconds), but still slow. > It seems that for each member of a group, the client did a query to the > LDAP server. I put "ignore_group_members = true" in sssd.conf and now > it's much faster. Can you try this? > > Regards, In my particular case the server is already widely used so I'm not in a good position to test it. But next time I have to set up a new system that authenticates against LDAP, I'll be sure to do that!