eDirectory - high CPU utilization in libsal - coring in libncpengine

  • 7024862
  • 12-Oct-2020
  • 12-Oct-2020

Environment

Open Enterprise Server 2018 SP2

Situation

The server was showing very high CPU utilization (Example: 1400%)
The top command showed that ndsd was the process causing this high utilization
Obviously eDirectory authentications were very very slow.
An ndstrace with LDAP enabled showed a ton of -5888 errors scrolling by.
Eventually eDirectory would crash.

Resolution

The network team noticed that this same server was connecting over UDP port 389 to IP addresses all over the world.
It was believed that this server was being exploited over UDP 389.
The network team configured the firewall to not allow inbound traffic on UDP port 389.
The utilization and crashes stopped