CAS 7.3.x - Intermittent Unable to resolve user dn errors during LDAP authentication after migrating from CAS 6.x

112 views
Skip to first unread message

William Vincent (Wix31)

unread,
Jul 2, 2026, 9:39:39 AM (2 days ago) Jul 2
to CAS Community
Hello,

I am currently migrating from CAS 6.x to CAS 7.3.x and I am facing intermittent LDAP authentication failures.

Even though the LDAP server is up and the users exist in the directory, I regularly get the following error:

[LdapAuthenticationHandler]: [javax.security.auth.login.AccountNotFoundException: Unable to resolve user dn for xxx/ Unable to resolve user dn for xxx]

In the logs even with DEBUG level, I only see:

resultCode=NO_SUCH_OBJECT

This happens randomly. Sometimes the same user can authenticate successfully a few seconds later.

Has anyone experienced similar intermittent NO_SUCH_OBJECT errors when migrating to CAS 7.x?

Is there a recommended way to configure the LDAP connection pool in CAS 7.3 to make it more resilient

- I tried to configure the LDAP connection pool properly - I tried to enabled `validate-periodically`, `prune-period`, and different validators. - I also tried changing the LDAP authentication type from AUTHENTICATED to DIRECT


Thank you in advance for your help.
Best regards,

My cas.properties ( i use CAS Overlay docker image ) : 

#=======================================
# Global
#=======================================

# PRODUCTION
cas.host.name=x
cas.server.name=https://${cas.host.name}
cas.server.prefix=https://${cas.host.name}/cas
cas.logout.redirect-url=https://${cas.host.name}/cas/login
cas.audit.engine.alternate-client-addr-header-name=X-Forwarded-For

logging.config=file:/etc/cas/config/log4j2_custom.xml
cas.authn.accept.enabled=false
cas.locale.default-value=fr
cas.logout.follow-service-redirects=true
cas.logout.redirect-parameter=service
cas.logout.confirm-logout=false

#========================================
# LDAP connection pool configuration
#========================================

# Credential to connect to LDAP

# Ldap configuration
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].bind-dn=cn=x
cas.authn.ldap[0].bind-credential=x
cas.authn.ldap[0].ldap-url=ldaps://ldap.x
cas.authn.ldap[0].base-dn=ou=People,x
cas.authn.ldap[0].subtree-search=true
cas.authn.ldap[0].search-filter=uid={user}
cas.authn.ldap[0].principal-attribute-list=cn,givenName,mail,sn,uid,displayName
# Pool
#cas.authn.ldap[0].pool-passivator=NONE
#cas.authn.ldap[0].disable-pooling=true
#cas.authn.ldap[0].max-pool-size=15
#cas.authn.ldap[0].min-pool-size=3
#cas.authn.ldap[0].block-wait-time=PT5S
#
## Validation des connexions du pool
#cas.authn.ldap[0].validate-on-checkout=true
#cas.authn.ldap[0].validate-periodically=true
#cas.authn.ldap[0].validate-period=PT30S
#cas.authn.ldap[0].validate-timeout=PT5S
#cas.authn.ldap[0].validator.type=SEARCH
#cas.authn.ldap[0].validator.base-dn=ou=People,x
#cas.authn.ldap[0].validator.search-filter=(objectClass=*)
#cas.authn.ldap[0].validator.scope=OBJECT
#
## Pruning
#cas.authn.ldap[0].idle-time=PT3M
#cas.authn.ldap[0].prune-period=PT2M


#========================================
# Attribute Repository (Person Directory)
#========================================
cas.authn.attribute-repository.ldap[0].ldap-url=ldaps://ldap.x
cas.authn.attribute-repository.ldap[0].bind-dn=cn=x
cas.authn.attribute-repository.ldap[0].bind-credential=x
cas.authn.attribute-repository.ldap[0].base-dn=ou=People,x
cas.authn.attribute-repository.ldap[0].search-filter=uid={user}
cas.authn.attribute-repository.ldap[0].attributes.cn=cn
cas.authn.attribute-repository.ldap[0].attributes.givenName=givenName
cas.authn.attribute-repository.ldap[0].attributes.mail=mail
cas.authn.attribute-repository.ldap[0].attributes.sn=sn
cas.authn.attribute-repository.ldap[0].attributes.uid=uid
cas.authn.attribute-repository.ldap[0].attributes.displayName=displayName
#pool
cas.authn.attribute-repository.ldap[0].validate-on-checkout=true
cas.authn.attribute-repository.ldap[0].validate-periodically=true
cas.authn.attribute-repository.ldap[0].validate-period=PT30S
cas.authn.attribute-repository.ldap[0].validator.base-dn=ou=x
cas.authn.attribute-repository.ldap[0].validator.type=SEARCH
cas.authn.attribute-repository.ldap[0].validator.search-filter=(objectClass=*)
cas.authn.attribute-repository.ldap[0].validator.scope=OBJECT
# Pruning
cas.authn.attribute-repository.ldap[0].idle-time=PT3M
cas.authn.attribute-repository.ldap[0].prune-period=PT2M
#========================================
# Sécurité DDOS / Brute force
#========================================

cas.authn.throttle.schedule.enabled=true
cas.authn.throttle.schedule.start-delay=PT10S
cas.authn.throttle.schedule.repeat-interval=PT60S

# throttle Brute Force (pour limiter le nombre de tentative d'authentification)
cas.authn.throttle.failure.threshold=1
cas.authn.throttle.failure.range-seconds=3
# pour throttle sur IP et l'username
# cas.authn.throttle.core.username-parameter=username

# Throttle DDOS
cas.authn.throttle.bucket4j.blocking=true
cas.authn.throttle.bucket4j.enabled=true
cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
cas.authn.throttle.bucket4j.bandwidth[0].capacity=50

#========================================
# Old protocol
#========================================
cas.view.cas2.v3-forward-compatible=true


#========================================
# Authentication
#========================================
password.policy.warnAll=false
cas.authn.policy.any.tryall=false


#========================================
# Gestion des sessions
#========================================

## Web Application Session
# server.servlet.session.timeout=PT30S
server.servlet.session.cookie.http-only=true
server.servlet.session.tracking-modes=COOKIE

#========================================
# Gestion des services
#========================================

cas.service-registry.json.location=file:/etc/cas/services
cas.service-registry.schedule.enabled=true
cas.service-registry.schedule.repeat-interval=PT30s
cas.service-registry.schedule.start-delay=PT15S

#========================================
# Gestion des tickets
#========================================

# stockage des tickets
cas.ticket.registry.redis.host=redis
cas.ticket.registry.redis.database=0
cas.ticket.registry.redis.port=6379
cas.ticket.registry.redis.timeout=2000
cas.ticket.registry.redis.password=x

# Temps de session
# 72000 = 20H / 36000 = 10H
# Ticket Granting Ticket (TGT)
cas.ticket.tgt.primary.max-time-to-live-in-seconds=72000
cas.ticket.tgt.primary.time-to-kill-in-seconds=36000
# remember me
cas.ticket.tgt.remember-me.enabled=true
cas.ticket.tgt.remember-me.time-to-kill-in-seconds=72000


cas.tgc.crypto.enabled=true
#cas.tgc.crypto.encryption.key=x
#cas.tgc.crypto.signing.key=x
cas.tgc.crypto.encryption.key=x
cas.tgc.crypto.signing.key=x
cas.tgc.pin-to-session=true
cas.tgc.remember-me-max-age=-1
cas.tgc.auto-configure-cookie-path=true

cas.webflow.crypto.enabled=true
#cas.webflow.crypto.signing.key=x
#cas.webflow.crypto.encryption.key=x
cas.webflow.crypto.signing.key=x
cas.webflow.crypto.encryption.key=x

cas.webflow.crypto.signing.keySize=512
cas.webflow.crypto.encryption.keySize=16
cas.webflow.crypto.alg=AES

#========================================
# OpenID Connect
#========================================

cas.authn.oidc.core.issuer=https://${cas.host.name}/cas/oidc
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/openid_connect_keystore.jwks
cas.authn.oauth.crypto.encryption.key=x
cas.authn.oauth.crypto.signing.key=x
cas.authn.oauth.access-token.crypto.encryption.key=x
cas.authn.oauth.access-token.crypto.signing.key=x
cas.authn.oauth.session-replication.cookie.crypto.enabled=true
cas.authn.oauth.session-replication.cookie.crypto.signing.key=x
cas.authn.oauth.session-replication.cookie.crypto.encryption.key=x

#========================================
# Theme Dev
#========================================
cas.theme.default-theme-name=default
# décommenter pour tester le modifs html sans redémarrer tomcat
# spring.thymeleaf.cache=false

#========================================
# Monitoring / Actuator / Endpoint
#========================================

# on desactive tout par default
management.endpoints.access.default=none

# On active les modules
management.endpoints.web.exposure.include=status
management.endpoint.status.enabled=true

# Configuration URL + identifiants
management.endpoints.web.base-path=/xxxx
#management.endpoints.web.exposure.include=health,info,metrics,prometheus,env,loggers,status
cas.monitor.endpoints.endpoint.status.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.status.required-ip-addresses=xxxx
spring.security.user.name=xxx
spring.security.user.password=xxx

#========================================
# User Self MGT
#========================================
#CasFeatureModule.AccountManagement.enabled=true





Ray Bon

unread,
Jul 2, 2026, 2:13:48 PM (2 days ago) Jul 2
to cas-...@apereo.org
William,

  Is your ldap be behind a load balancer?
Perhaps one host has incorrect data.
We have not experienced any problems with the upgrade.

Ray

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of William Vincent (Wix31) <will...@gmail.com>
Sent: July 2, 2026 02:47
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.x - Intermittent Unable to resolve user dn errors during LDAP authentication after migrating from CAS 6.x
 
You don't often get email from will...@gmail.com. Learn why this is important
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4903a35f-8a3b-44cf-a9d1-413c69bf977en%40apereo.org.

Fisher, Daniel

unread,
Jul 2, 2026, 2:13:48 PM (2 days ago) Jul 2
to cas-...@apereo.org
Can you confirm what filter is producing the NO_SUCH_OBJECT? You may need to check your active directory logs.

--Daniel Fisher


From: cas-...@apereo.org <cas-...@apereo.org> on behalf of William Vincent (Wix31) <will...@gmail.com>
Sent: Thursday, July 2, 2026 5:47 AM
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.x - Intermittent Unable to resolve user dn errors during LDAP authentication after migrating from CAS 6.x
 
You don't often get email from will...@gmail.com. Learn why this is important

Mike Osterman

unread,
Jul 2, 2026, 9:12:32 PM (2 days ago) Jul 2
to cas-...@apereo.org
We had similar, but slightly different behavior with the Optional cas.authn.ldap[0].pool-passivator property. 

I see you have:
#cas.authn.ldap[0].pool-passivator=NONE

If I read the documentation correctly, you are not actually setting the property, but you could try activating it and switching it to BIND from NONE. With it not actually set due to the leading, #, it should be BIND by default.

This may be different enough from our situation that it's a red herring, but worth a shot.

-Mike

William Vincent (Wix31)

unread,
Jul 3, 2026, 10:18:26 AM (yesterday) Jul 3
to CAS Community, Mike Osterman
Edit : I confirm that Passivator set to BIND finally works well in 7.x! 
Thanks everyone. 
Have a good day!

William Vincent (Wix31)

unread,
Jul 3, 2026, 10:18:42 AM (yesterday) Jul 3
to CAS Community
Thank you for your replies, I'll answer everyone here:

- I don't have any filter; we are directly in the "people" branch, and everyone is allowed. ( We have OpenLDAP not AD )
- LDAP is behind an HAProxy, but the problem is the same even when connecting directly (using the IP or the DNS name). I even moved it to a VM on the same network to bypass any firewall.
- Regarding the `pool-passivator` parameter set to BIND, it seems to work on version 8 but not on version 7.3. In 6.x it was set to NONE and worked without any issues.
Given the security vulnerabilities in OpenID Connect, I didn't want to wait for version 8, but I don't want to put a non-final version into production either.

Le vendredi 3 juillet 2026 à 03:12:32 UTC+2, Mike Osterman a écrit :
Reply all
Reply to author
Forward
0 new messages