Created attachment 334144 [details]
emerge --info

There is a bug in sys-auth/nss_ldap that causes LDAP lookups to terminate before all entries are read. By default, nss_ldap uses the setting

nss_connect_policy persist

which means that clients keep their connections to the LDAP server open until they terminate. This causes a lot of open connections on the LDAP server which may exhaust resources on the server and lead to a denial of service.

According to the documentation in /etc/ldap.conf, this option can be changed to

nss_connect_policy oneshot

In this case, clients are supposed to close their connection to the LDAP server after each request. However, there is a bug in nss_ldap that causes the connection to be dropped prematurely. This bug has been reported upstream but is still open.

https://bugzilla.redhat.com/show_bug.cgi?id=488857 has a review of the issues
http://bugzilla.padl.com/show_bug.cgi?id=322, http://bugzilla.padl.com/show_bug.cgi?id=350, http://bugzilla.padl.com/show_bug.cgi?id=375. It seems that only http://bugzilla.padl.com/show_bug.cgi?id=350 has been fixed by upstream, while http://bugzilla.padl.com/show_bug.cgi?id=322 and http://bugzilla.padl.com/show_bug.cgi?id=375 propose concurrent solutions to the problem of premature closing of connections.

I can confirm that the patch from http://bugzilla.padl.com/show_bug.cgi?id=322 applies to sys-auth/nss_ldap-265-r1 (current stable) and seems to solve the problem.