Hi, On Mon, Oct 2, 2023 at 6:20 AM Spike White <[email protected]> wrote:
> All, > > Is there anything in sssd's RHEL and RHEL-like Linux server OS settings > that perform LDAP binds or connections to AD every 30 minutes? > > What our AD team is seeing is all of the DCs in our biggest AMER AD site > peak with LDAP sessions for about 10 minutes at the top of the hour then > again at the bottom of the hour. No other AD site in the world appears to > see this behavior not even other AD sites in this metro area. > > The reason they noticed is that our non-amer DCs in this biggest AD site > hit their 5k LDAP client session limit during those 10 minutes every 30 > minutes. Meaning any clients attempting to establish a LDAP session past > 5000 are dropped by the DC. In their research they see thousands LDAP > Binds by RHEL Linux servers against two specific non-AMER AD DCs in a short > period of time after digging through some LDAP log samples that they pulled > from these DCs. > Can they also say what operations are being performed by those connections? Or can you check SSSD logs on the client side? I wonder if this could be `ldap_sudo_smart_refresh_interval`... > > In this major AD sites, we have dozens and dozens of AMER AD DCs. So > there's enough preferred AD DCs to spread the load. But typically for the > non-AMER regions, the AD team puts 2 of each regions DCs in a site. For > instance, for APAC they would be put two APAC DCs in this AMER major site. > Thus all AMER RHEL servers in this site would randomly hit dozens of AMER > DCs, but concentrate on these two preferred APAC DCs. (preferred because > they're in this locatiion). > > I know our older AD integration product used to hit AD every 30 mins to > check GPOs, but we're not implementing GPOs with sssd. > > Spike > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
