All, Is there anything in sssd's RHEL and RHEL-like Linux server OS settings that perform LDAP binds or connections to AD every 30 minutes?
What our AD team is seeing is all of the DCs in our biggest AMER AD site peak with LDAP sessions for about 10 minutes at the top of the hour then again at the bottom of the hour. No other AD site in the world appears to see this behavior not even other AD sites in this metro area. The reason they noticed is that our non-amer DCs in this biggest AD site hit their 5k LDAP client session limit during those 10 minutes every 30 minutes. Meaning any clients attempting to establish a LDAP session past 5000 are dropped by the DC. In their research they see thousands LDAP Binds by RHEL Linux servers against two specific non-AMER AD DCs in a short period of time after digging through some LDAP log samples that they pulled from these DCs. In this major AD sites, we have dozens and dozens of AMER AD DCs. So there's enough preferred AD DCs to spread the load. But typically for the non-AMER regions, the AD team puts 2 of each regions DCs in a site. For instance, for APAC they would be put two APAC DCs in this AMER major site. Thus all AMER RHEL servers in this site would randomly hit dozens of AMER DCs, but concentrate on these two preferred APAC DCs. (preferred because they're in this locatiion). I know our older AD integration product used to hit AD every 30 mins to check GPOs, but we're not implementing GPOs with sssd. Spike
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
