If the ldap connection dies for some reason (ldap server restarting etc.), the broker will continue to attempt to use the old connection for authorization, resulting in all attempts to use the broker being denied.
In CachedLDAPAuthorizationMap.java, the open() function just returns the context if one exists. Instead, it should check to see if the context is still valid, and if not create one.
Alternatively, the caching of the ldap connection can be removed entirely, and then in the refreshInterval>0 case, a new ldap connection will be made each refresh interval (default setting: every 5 minutes).
i.e. delete these lines:
if (context != null)