Anyone running RHEL 8x/9x SSSD authentication against eDir 9.x

We have been moving all our RHEL 7.9 servers to 8.x or 9.3 and they are all configured with SSSD to authenication users against our edirectory authentication tree.    We have noticed that since the number of 8.x/9.x servers has increased the load on our eDirectory ldap servers has gone through the roof and we have had to basically double processors in order to keep the load average on the boxes in the 7's from being in the 14's.     Just curious if anyone else has gone through a similar change in their environment and what they ended up doing to resolve.

  • Suggested Answer

    0

    In case anyone runs into this.   It seems the SSSD in RHEL 8/9 has introduced some additional functionality that is looking for NIS related attribute data when a linux user is authenticating and additional searches are being made from SSD in the format of [(&(objectclass=ipHost)(cn=*)(ipHostNumber=*))].   This did not exist in RHEL 7.   It was determined that adding an index to "objectClass" attribute on our ldap servers alleviated the performance hit of this additional query coming from SSSD..... a workaround, but solves the issue.  Once this was done, the CPU utilization for ndsd and the overall system load dropped down to levels consistent with what we had before introduction RHEL 8/9 SSSD clients to the environment.