SASL/SSL intermittent bind problem

[jheiss@ofb.net (Jason Heiss)]

I have a Red Hat 7.1 system configured as a Kerberos and LDAP server
using the RPMs provided by Red Hat.  Thus OpenLDAP 2.0.11.

I have a problem where binds using SASL (as opposed to simple auth)
occasionally fail.  This (simple auth, SSL or not) always works:

ldapsearch -H ldap:/// -x -b "" -s base -LLL supportedSASLMechanisms

This (SASL, no SSL) fails about once every 20 times:

ldapsearch -H ldap:/// -b "" -s base -LLL supportedSASLMechanisms

This (SASL, SSL) fails almost all of the time:

ldapsearch -H ldaps:/// -b "" -s base -LLL supportedSASLMechanisms

The failure is reported by ldapsearch as:

ldap_result: Can't contact LDAP server

slapd -d 1 shows the following when then failure occurs:

ber_get_next
ber_get_next on fd 8 failed errno=34 (Numerical result out of range)

(Forgive me if I'm not including enough to be useful, I'll be glad to
send additional output to anyone.)

Interestingly, all of the times that it _doesn't_ fail, I see this
several times in the slapd output:

ber_get_next
ber_get_next on fd 8 failed errno=11 (Resource temporarily unavailable)

ber_get_next then seems to try again and go on its merry way.  I see
none of those when it does fail.  ber_get_next always seems to succeed
up until the errno=34 failure.

Searching the mailing list, I found a couple of references to similar
problems with the suggestion to add a sockbuf_max_incoming entry to
my slapd.conf.  I've tried a couple of values for that, up to the
current entry:

sockbuf_max_incoming    1048576

with no noticable change.

Does anyone have any suggestions?

Thanks,

Jason