Jesse Hathaway wrote:
From our testing it appears that slapd's usage of the crypt function, to check
a user's password on a bind request, is single threaded, rather than being distributed across all of slapds thread. We encountered this problem when bumping the number of hashing rounds for our password hashes from 5,000 to 500,000 as was suggested by our security team.
Is it expected that the hashing of a users password would be bound to one thread?
Depends entirely on whether or not your libc supports crypt_r() (reentrant crypt). If not then yes, it has to be single-threaded because crypt() is not reentrant, it returns a pointer to static storage.
And of course, even if you use crypt_r() it's always possible that the underlying cipher is itself single-threaded. We have no way to know and no control over that.
We ran our tests on a default install of of slapd 2.4.44 on Debian Jessie box with 8 cores.