Enterprise Server currently sets two types of timeouts for libldap, LDAP_OPT_TIMELIMIT and LDAP_OPT_NETWORK_TIMEOUT.

Turns out there's a third timeout parameter in libldap which is used to determine how long to synchronously wait for asynchronous operations to finish. We use a synchronous authentication command, while apparently calls the async version under the hood, then calls ldap_result.

The internal code sets the timeout to NULL which results in an indefinite timeout for the password verification connection, resulting in the session accumulation in the server.