Major Description
This has been seen on production systems with Oak 1.10.2, where a firewall was configured to drop idle connections after a timeout without sending an RST (for security reasons). When this happens, the connection pool used by the LdapPrincipalProvider will still consider these connections healthy. Eventually such a connection will be used for an actual LDAP BIND/SEARCH, which will simply timeout.
The connection pool is an instance of org.apache.commons.pool.impl.GenericObjectPool, which has configuration options to deal with the scenario (namely running an eviction task which will properly close idle connections after a timeout which is shorter than the timeout interval used by the firewall) .
The creation of the connection pool used is hard coded and most of the configuration options are not available.
I propose to change that. I'll supply a patch soon.