By default the LDAP clauses, except <AuthBy
LDAPRADIUS>, disconnect from the LDAP server after each
authentication. This is because not all LDAP servers permit multiple
searches from the same LDAP connection.
HoldServerConnection forces holding the connection to
the LDAP server up for as long as possible. It is an optional parameter
and available for <AuthBy LDAP2> and
<AuthBy LDAPDIGIPASS>.
Most of the LDAP
servers support this behaviour and it can significantly improve
performance, especially where UseTLS or
UseSSL is enabled. If you enable this parameter and
get unwanted behaviour, you are probably using an unsupported LDAP server.
In this case, remove this parameter.
Here is an example of using
HoldServerConnection:
# Our server supports multiple searches
HoldServerConnection
Note
In some cases, using
HoldServerConnection with
ServerChecksPassword of <AuthBy
LDAP2> may cause failure situations. This is due to some
LDAP servers' behaviour when the password check fails but the connection
is not closed. A failure situation may also occur when the password check
succeeds but the user is not allowed to perform searches in the server. If
your users experience unexpected authentication failures, try testing your
system without using these 2 parameters together.
