From time to time it happens that locking objects are left over. Especially many were observed during support work in school environments. It could be that the S4-Connector has part in it, but that is not clear yet. In one case, a customer had over 205000 left over temporary objects. Those were copied to each server during the initial join process. After deleting all of those objects, the join was 4-5 hours faster than before. We should examine how and why this happens, but most importantly enable the customer to clean those up safely. I could imagine a diagnostic check with a "fix me" button that cleans up all locking objects that are older than a day or so. Unfortunately the lockTime attribute does not have the appropriate matching rule to search for a timestring older/eq a certain value. I had to use createTimestamp instead.
Bug #41711 contains a lot of related problems in the bugs marked as duplicate.
In the meantime, we do not replicate lock objects during join. Reducing the impact.
We could also extend the locking objects with: > objectClass: dynamicObject > entryTtl: 172800 # or whatever. when "dds" overlay is activated. This will automatically remove the objects after that amount of time. slapd.conf Configuration: > moduleload dds > overlay dds > dds-max-ttl 31536000 > dds-min-ttl 86400 > dds-default-ttl 604800