On 14/07/17 20:57, Josh Catana wrote:
Thank you both for the advice. I appreciate it.

It seems like indexing aliasedObjectName helped. but I also put a problem system on its own replica. load from slapd seemed to drop from 1500% down to a normal level, <50%.

Nice replica:-)  I don't see how indexing aliasedObjectName could help.

Instead of having separate copies of each user in separate branches. We just have a master branch and alias the users into the branches for systems they are allowed access into. It seemed like an efficient way to do things. We'd only have to update a single object if the user ever had any change. Otherwise we'd have to maintain a copy of each user object in each instance they belonged to.

Maybe I'll have to rethink our architecture. Any recommendations?

If you have a deep structure with something like
   uid=username,ou=foo,ou=bar,ou=baz,dc=example,dc=com
switch to a flat
  uid=username,cn=people,dc=example,dc=com
where each person has a membership attribute or something similar
which says where he belongs.  See e.g. attribute eduPersonOrgUnitDN
in the eduPerson schema:
http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html#eduPersonOrgUnitDN

If that's not feasible, go with with data duplication: Keep a single
"master" copy of each user somewhere - in an LDAP server or somewhere
else - and generate his other LDAP entries from that.