根据对象,我们遇到的LDAP峰值正在使我们的公司连接饱和。 从分析的跟踪中我可以说大部分流量是从部分属性集中的两个列表生成的: 基本上会发生的事情是我们分支机构的客户端正在向HeadQuarter中的DC发出NeyLOGON查询,并且在请求此LDAP对象类之后立即查询= *;现在回答的答案是全球部署的所有RODC列表,每个RODC都有一个PartialAtributeList ....特别是msDS-RevealedUsers和msDS-AuthenticatedToAccountList包含一堆用户。
你能帮帮我吗?
LDAPMessage searchRequest(1) "<ROOT>" baseObject
...
Filter: (objectclass=*) <-- this is the request with some attributes
attributes: 15 items
AttributeDescription: subschemaSubentry
AttributeDescription: dsServiceName
AttributeDescription: namingContexts
AttributeDescription: defaultNamingContext
AttributeDescription: schemaNamingContext
AttributeDescription: configurationNamingContext
AttributeDescription: rootDomainNamingContext
AttributeDescription: supportedControl
AttributeDescription: supportedLDAPVersion
AttributeDescription: supportedLDAPPolicies
AttributeDescription: supportedSASLMechanisms
AttributeDescription: dnsHostName
AttributeDescription: ldapServiceName
AttributeDescription: serverName
AttributeDescription: supportedCapabilities
Then the answer comes for every RODC like this:
PartialAttributeList item objectClass
PartialAttributeList item cn
....
PartialAttributeList item msDS-RevealedUsers
....
PartialAttributeList item msDS-AuthenticatedToAccountlist
PartialAttributeList item msDS-AuthenticatedToAccountlist;range=0-1499
....
所提到的列表很大