It may also be observed that slapd has a large amount of file descriptors in use and that the failures coincide with file descriptors reaching a particular limit (ie. 256 or 1024)
result: 52 Server is unavailable cdcSessionOpen: Failed to communicate with adclient due to broken session handle
Cause:
This behavior is not caused by LDAP Proxy itself, but by a client utilizing the service. As an example, we are able to reproduce this issue with a web application utilizing LDAP Proxy with a TTL on auth set to ~15seconds. This causes a large number of file descriptors(FDs) and left-open network sockets. Normally, this is not a problem as slapd will gradually close these sockets as they are idle for a specific amount of time, however in this scenario, slapd cannot keep up with the amount of sockets being opened and left open, so the limit is quickly reached and, thus, the behavior is observed.
Workaround/Resolution:
Options:
1) Modify /etc/centrifydc/openldap/slapd.conf to add/modify the following parameter:
idletimeout 16
This will have the effect of having slapd check for idle sockets every 4 (16/4) seconds and close sockets that have been idle for longer than 16 seconds. This value may be modified as befits your specific scenario.
OR
2) Adjust the client application to have a lower TTL. Using the example from above, lowering our web application's authentication TTL to approximately 5seconds alleviated the issue. This option may vary significantly, depending on the client type.
OR
3) Increase the file Descriptors soft/hard limits for the system or slapd process. Ensure the limit is less than your max file descriptor for your machine.