Q: opendirectoryd high CPU but I don't use Active Directory

I had this problem as well. When I kicked up the opendirectoryd logging level (OS X Server: Changing opendirectoryd logging levels - Apple Support), I saw a lot of references to SSH. I also saw a lot of sshd processes in my top output. I went into System Preferences->Sharing and disabled Remote Login, which seemed to solve the problem. I reenabled Remote Login and, at least immediately, opendirectoryd seems to be behaving and sshd isn't multiplying (even when I log in from another system.)

I take it back, after five minutes opendirectoryd was back to its high-CPU shenanigans (and multiple sshd processes appeared.) Disabling Remote Login still seems to restore sanity.

Looks like somebody's bot is trying to log in. "error: PAM: authentication error for root from 43.229.53.38" appears more than 2 million times in the system.log in the last week. That spawns large numbers of sshd processes, which drives opendirectoryd mad.

Just wanted to say that the exact same ip has been attempting to log into my mac since yesterday. I had no idea why until I turned off remote login and my fan stopped spinning. Then I checked my logs... /var/log/system.log

Time to change my port / install a ssh blocker...

Same IP address here. Had to disable all remote access. Problem is my server is a headless Mac Mini that I manage with Remote Desktop. CPU was so overburdened with these login attempts that I could barely get enough cycles to handle VNC.

I have the exact same problem, solved the exact same way.. turned off remote login under sharing. Someone is definitely trying to hack via SSH. This time, I have this IP number coming up repeatedly:

43.229.53.61

Almost the same. These IPs are from Hong Kong. Pasted below is the relevant part of a traceroute. The penultimate step before Hong Kong is in the US via China Telecom (Americas) most likely.

5  be-7015-cr02.newyork.ny.ibone.comcast.net (68.86.90.217)  19.732 ms  18.714 ms  19.994 ms

6  be-10305-cr02.350ecermak.il.ibone.comcast.net (68.86.85.202)  48.027 ms  41.714 ms  38.912 ms

7  be-10617-cr02.denver.co.ibone.comcast.net (68.86.85.170)  64.552 ms  60.371 ms  63.831 ms

8  be-11719-cr01.1601milehigh.co.ibone.comcast.net (68.86.86.78)  65.500 ms  60.374 ms  62.072 ms

9  be-10919-cr01.sunnyvale.ca.ibone.comcast.net (68.86.85.153)  85.371 ms  84.812 ms  86.209 ms

10  be-10925-cr01.9greatoaks.ca.ibone.comcast.net (68.86.87.158)  87.872 ms  88.360 ms  89.590 ms

11  68.86.86.242 (68.86.86.242)  86.267 ms  87.907 ms  151.821 ms

12  66.208.216.34 (66.208.216.34)  88.008 ms

    66.208.216.38 (66.208.216.38)  97.237 ms

    66.208.216.42 (66.208.216.42)  89.644 ms

13  202.97.50.61 (202.97.50.61)  86.456 ms  88.278 ms  90.140 ms

14  202.97.49.145 (202.97.49.145)  100.824 ms  121.560 ms  101.958 ms

15  203.14.186.18 (203.14.186.18)  94.447 ms  94.442 ms  94.307 ms

16  218.30.44.126 (218.30.44.126)  93.694 ms

    218.30.44.134 (218.30.44.134)  94.672 ms

    218.30.44.138 (218.30.44.138)  159.767 ms

17  * * *

18  66.102.253.230 (66.102.253.230)  100.221 ms  96.758 ms

    66.102.253.218 (66.102.253.218)  96.183 ms

19  43.229.53.61 (43.229.53.61)  100.043 ms  96.639 ms  93.737 ms

I had the exact same problem, it would show that my opendirectoryd process was running at like 800% or something ridiculously higher than the 100% I thought you could total. This thread saved me and turning it off, definitely brought everything back to normal.  It was so bogged down that I could barely even navigate a webpage in Safari.  I went ahead and deleted my port 22 firewall exception since I sometimes do SSH into my computer, and set one up for port 23.  I then added port 23 as an additional port.  My problem seems solved now until these crazy attacks find me on the new port.  I wonder why this never happened on Yosemite or Mavericks and is suddenly starting to happen to us in El Capitan.  It makes me wonder..

I also had this problem with OS X El Capitan 10.11.6, but none of the answers here helped. Nor was it a bot trying to remotely log in, my ssh access was turned off. opendirectoryd was only causing problems when my wifi was on and dropbox was running. It turned out to be a bunch of broken symlinks within Dropbox.

This described the problem, but I found the solution difficult to follow:

http://superuser.com/questions/350879/opendirectoryd-consumes-40-of-cpu

Here has the solution:

http://www.commandlinefu.com/commands/view/2369/find-broken-symlinks-and-delete- them

In a nutshell, first check if you have broken symlinks by typing the command:

find ~/Dropbox/ -type l -print0 | xargs -0 file | grep broken

or more simply

find -L ~/Dropbox -type l

Then remove them one by one with this command:

find -L ~/Dropbox -type l -exec rm -i {} +

or all at once with this command:

find -L ~/Dropbox -type l -delete