We currenly use SSSD on all of our boxes to provide groups information about users on our secure cluster. It fetches users' groups from an Active Directory/LDAP server which is far away and so slow. I can cache the results for some time but that still results in an initial slow request the first time, and we of course have lots of machines. SSSD doesn't share its cache with other SSSD systems.
I have heard that it is possible for Sentry to connect to AD and read all the user groups in a LDAP domain. I could then use this information in authorization requests instead of SSSD.
However I can't find any documentation for this.
Is this a valid deployment option? What do I need to read to get Sentry to pre-load an AD domain. Does it filter on users who are in a specific group or does it fetch everything?