LDAP sessions opened by QAS are not being closed down soon enough after no longer being needed resulting in too many open connections on the domain controller.
By default QAS will close LDAP sessions after 120 seconds. If your environment is very busy than this may result in too many sessions remaining open after they are needed. To fix this issue you can reduce this timeout period with the id-session-age option in vas.conf.
Because these sessions are encrypted using SASL there is a performance cost when reopening them, so you will want to be careful not to set that option too low as it may also cause problems on your domain controllers.