mod_ldap currently distinguishes between very few LDAP return codes and only retries when LDAP_SERVER_DOWN (or LDAP_UNAVAILABLE using MS SDK) imply that the backend connection has gone sour since it's last use. Some return codes, such as LDAP_UNAVAILABLE or LDAP_BUSY could do a better of job of retrying (with delay?). It's unclear what combination of events, servers, and SDKs cause these various return codes to be generated, returned, or masked. See the discussion in: http://issues.apache.org/bugzilla/show_bug.cgi?id=39095 (ignoring the LDAP_UNAVAILABLE-on-MSSDK issue)
I have this problem too: The LDAP server I have to authenticate against seems to have limits regarding how often a user can try to authenticate, and if it does not want, it returns this error: [Tue Feb 28 14:46:53 2012] [info] [client 10.3.1.66] [12698] auth_ldap authenticate: user philipp authentication failed; URI /svn/ [LDAP: ldap_simple_bind_s() failed][Administrative limit exceeded] I would like to be able to configure that Apache does up to 5 retries, each after 3 seconds, to authenticate in those cases.
This is possible in 2.4.1 with LDAPRetries and LDAPRetryDelay, but the documentation is still lacking.