Created attachment 334144 [details] emerge --info There is a bug in sys-auth/nss_ldap that causes LDAP lookups to terminate before all entries are read. By default, nss_ldap uses the setting nss_connect_policy persist which means that clients keep their connections to the LDAP server open until they terminate. This causes a lot of open connections on the LDAP server which may exhaust resources on the server and lead to a denial of service. According to the documentation in /etc/ldap.conf, this option can be changed to nss_connect_policy oneshot In this case, clients are supposed to close their connection to the LDAP server after each request. However, there is a bug in nss_ldap that causes the connection to be dropped prematurely. This bug has been reported upstream but is still open. https://bugzilla.redhat.com/show_bug.cgi?id=488857 has a review of the issues http://bugzilla.padl.com/show_bug.cgi?id=322, http://bugzilla.padl.com/show_bug.cgi?id=350, http://bugzilla.padl.com/show_bug.cgi?id=375. It seems that only http://bugzilla.padl.com/show_bug.cgi?id=350 has been fixed by upstream, while http://bugzilla.padl.com/show_bug.cgi?id=322 and http://bugzilla.padl.com/show_bug.cgi?id=375 propose concurrent solutions to the problem of premature closing of connections. I can confirm that the patch from http://bugzilla.padl.com/show_bug.cgi?id=322 applies to sys-auth/nss_ldap-265-r1 (current stable) and seems to solve the problem.
fixed in r3