How to debug WebLogic 12c OpenLDAP authentication issues?

Question

I have OpenLDAP 2.4.44 running on an Oracle Linux 7.9 server. I have multiple WebLogic 12c plus OSB installation on different machines, all on the same LAN. There is a physical firewall, so firewalld is disabled on all machines as is selinux.

On all WL machines, I changed the default authenticator to "Sufficient" and added OpenLDAP authenticator and marked it "Sufficient" as well. Created and tested groups, etc. I can log in to console, em and servicebus using users defined in LDAP. Roles and so on are configured for groups. This has been working without any issues for a couple of years.

For the past month, the WL servers seem to be facing some issue with LDAP group membership.

If I log in using the builtin "weblogic" user, everything works. But if I login to console or em or servicebus using a user from LDAP, the screen keeps spinning for a time without going further. A message is shown immediately for a wrong password, but a correct password does it.

I have an OSB REST service which is marked to require basic authentication. Within the service I replace the body by passing $inbound/ctx:security/ctx:transportClient/ctx:principals to a transformation XQuery:

declare variable $statusCode as xs:integer external;
declare variable $statusDescription as xs:string external;
declare variable $data external;

declare function local:func($statusCode as xs:integer, $statusDescription as xs:string, $data) as element() 
  (:: schema-element(ns1:CheckUserCredentials-ProxyResponse-Root-Element) ::) {
    <ns1:CheckUserCredentials-ProxyResponse-Root-Element 
         xmlns:ns1="http://TargetNamespace.com/UsersProxy_CheckUserCredentials_response">
        <ns1:statusCode>{fn:data($statusCode)}</ns1:statusCode>
        <ns1:statusDescription>{fn:data($statusDescription)}</ns1:statusDescription>
        
        {
        for $grp in $data/ctx:group
          return <ns1:data>
          <ns1:group>{fn:data($grp)}</ns1:group>
          </ns1:data>
        }
        
    </ns1:CheckUserCredentials-ProxyResponse-Root-Element>
};

local:func($statusCode, $statusDescription, $data)

This returns all the groups/roles that the user belongs to.

Same as with the console et al, this service stops responding.

This issue is not permanent; everything would we working fine for a while, then everything would stop, and a few minutes later restart working again.

While the issue is present, if I run ldapsearch from any of the servers, it works fine.

How do I determine what is causing these intermittent failures?