LDAPS Auth very slow in Moodle

I have a moodle-installation that uses LDAPS auth which is very slow or does not work at all. It is debian 12, apache2.4, moodle4.1 and php7.4.

I had a test installation where things were just fine, I compared the configs and there is not much difference.

Here is what I found in my error logs but I have still no clue why it is that slow:

Bind result: ''\n Debug: \nError code: auth_ldap_noconnect_all\n* line 1997 of /auth/ldap/auth.php: moodle_exception thrown\n* line 1074 of /auth/ldap/auth.php: call to auth_plugin_ldap->ldap_connect()\n* line 1802 of /auth/ldap/auth.php: call to auth_plugin_ldap->is_role()\n* line 4513 of /lib/moodlelib.php: call to auth_plugin_ldap->sync_roles()\n* line 154 of /login/index.php: call to authenticate_user_login()\n'

AH01071: Got error 'PHP message: Default exception handler: Das LDAP-Modul kann keine Serververbindung herstellen: Server: 'ldaps://my-domain.de:10636', Bind result: ''\n Debug: \nError code: auth_ldap_noconnect_all\n* line 1997 of /auth/ldap/auth.php: moodle_exception thrown\n* line 1074 of /auth/ldap/auth.php: call to auth_plugin_ldap->ldap_connect()\n* line 1802 of /auth/ldap/auth.php: call to auth_plugin_ldap->is_role()\n* line 4513 of /lib/moodlelib.php: call to auth_plugin_ldap->sync_roles()\n* line 154 of /login/index.php: call to authenticate_user_login()\n', referer: https://www.my-domain.de/moodle/login/index.php

ldapsearch run on the server also works slow sometimes (times vary)

any hint that leads to finding a solution is appreciated.

If you're LDAP service is occassionally responding with RST (Connection Reset), then a likely cause is that your TCP listen backlog for the listening socket is too low, OR your LDAP server is too unresponsive and worker threads are not responding fast enough to pick up new connections.

I recently experienced an issue with 389 Directory Server (aka Fedora Directory Server) where the worker-threads were kept too busy in production because of frequent long-running searches (for synchronisation jobs). The pool of worker threads is sized automatically based on the number of CPU cores available. If there are no worker threads available at the time, then new operations/connections have to wait.

If you are using custom attributes for your ldap filters, make sure their are indexes created of the appropriate type. Your LDAP access logs may contain some warning for unindexed queries.

Comparing to ldapsearch, one point of difference may be whether Moodle is doing connection pooling... I'm not familiar enough with Moodle or PHP to know what to expect there.

Make sure your ldapsearch query is exactly the same as what Moodle is doing.

If you want more assistance, it will be very useful to know which LDAP service you are using.

The problem is either the performance of the LDAP server or the connection between the moodle host and the LDAP host. As it states: The connection could not be established.

Potentially, there are a lot of requests against the LDAP server. The server may not be able to serve all of those connections and thus, some connections may time out with the shown error.

You could try to replicate the relevant tree of the LDAP into an LDAP instance running on the moodle server and authenticate against that server. Optionally, try to find out if there is some caching mechanism available of offload the connection.