I am currently migrating from CAS 6.x to CAS 7.3.x and I am facing intermittent LDAP authentication failures.
Even though the LDAP server is up and the users exist in the directory, I regularly get the following error:
cas.audit.engine.alternate-client-addr-header-name=X-Forwarded-For
logging.config=file:/etc/cas/config/log4j2_custom.xml
cas.authn.accept.enabled=false
cas.locale.default-value=fr
cas.logout.follow-service-redirects=true
cas.logout.redirect-parameter=service
cas.logout.confirm-logout=false
#========================================
# LDAP connection pool configuration
#========================================
# Credential to connect to LDAP
# Ldap configuration
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].bind-dn=cn=x
cas.authn.ldap[0].bind-credential=x
cas.authn.ldap[0].ldap-url=ldaps://ldap.x
cas.authn.ldap[0].base-dn=ou=People,x
cas.authn.ldap[0].subtree-search=true
cas.authn.ldap[0].search-filter=uid={user}
cas.authn.ldap[0].principal-attribute-list=cn,givenName,mail,sn,uid,displayName
# Pool
#cas.authn.ldap[0].pool-passivator=NONE
#cas.authn.ldap[0].disable-pooling=true
#cas.authn.ldap[0].max-pool-size=15
#cas.authn.ldap[0].min-pool-size=3
#cas.authn.ldap[0].block-wait-time=PT5S
#
## Validation des connexions du pool
#cas.authn.ldap[0].validate-on-checkout=true
#cas.authn.ldap[0].validate-periodically=true
#cas.authn.ldap[0].validate-period=PT30S
#cas.authn.ldap[0].validate-timeout=PT5S
#cas.authn.ldap[0].validator.type=SEARCH
#cas.authn.ldap[0].validator.base-dn=ou=People,x
#cas.authn.ldap[0].validator.search-filter=(objectClass=*)
#cas.authn.ldap[0].validator.scope=OBJECT
#
## Pruning
#cas.authn.ldap[0].idle-time=PT3M
#cas.authn.ldap[0].prune-period=PT2M
#========================================
# Attribute Repository (Person Directory)
#========================================
cas.authn.attribute-repository.ldap[0].ldap-url=ldaps://ldap.x
cas.authn.attribute-repository.ldap[0].bind-dn=cn=x
cas.authn.attribute-repository.ldap[0].bind-credential=x
cas.authn.attribute-repository.ldap[0].base-dn=ou=People,x
cas.authn.attribute-repository.ldap[0].search-filter=uid={user}
cas.authn.attribute-repository.ldap[0].
attributes.cn=cn
cas.authn.attribute-repository.ldap[0].attributes.givenName=givenName
cas.authn.attribute-repository.ldap[0].attributes.mail=mail
cas.authn.attribute-repository.ldap[0].
attributes.sn=sn
cas.authn.attribute-repository.ldap[0].attributes.uid=uid
cas.authn.attribute-repository.ldap[0].attributes.displayName=displayName
#pool
cas.authn.attribute-repository.ldap[0].validate-on-checkout=true
cas.authn.attribute-repository.ldap[0].validate-periodically=true
cas.authn.attribute-repository.ldap[0].validate-period=PT30S
cas.authn.attribute-repository.ldap[0].validator.base-dn=ou=x
cas.authn.attribute-repository.ldap[0].validator.type=SEARCH
cas.authn.attribute-repository.ldap[0].validator.search-filter=(objectClass=*)
cas.authn.attribute-repository.ldap[0].validator.scope=OBJECT
# Pruning
cas.authn.attribute-repository.ldap[0].idle-time=PT3M
cas.authn.attribute-repository.ldap[0].prune-period=PT2M
#========================================
# Sécurité DDOS / Brute force
#========================================
cas.authn.throttle.schedule.enabled=true
cas.authn.throttle.schedule.start-delay=PT10S
cas.authn.throttle.schedule.repeat-interval=PT60S
# throttle Brute Force (pour limiter le nombre de tentative d'authentification)
cas.authn.throttle.failure.threshold=1
cas.authn.throttle.failure.range-seconds=3
# pour throttle sur IP et l'username
# cas.authn.throttle.core.username-parameter=username
# Throttle DDOS
cas.authn.throttle.bucket4j.blocking=true
cas.authn.throttle.bucket4j.enabled=true
cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
cas.authn.throttle.bucket4j.bandwidth[0].capacity=50
#========================================
# Old protocol
#========================================
cas.view.cas2.v3-forward-compatible=true
#========================================
# Authentication
#========================================
password.policy.warnAll=false
cas.authn.policy.any.tryall=false
#========================================
# Gestion des sessions
#========================================
## Web Application Session
# server.servlet.session.timeout=PT30S
server.servlet.session.cookie.http-only=true
server.servlet.session.tracking-modes=COOKIE
#========================================
# Gestion des services
#========================================
cas.service-registry.json.location=file:/etc/cas/services
cas.service-registry.schedule.enabled=true
cas.service-registry.schedule.repeat-interval=PT30s
cas.service-registry.schedule.start-delay=PT15S
#========================================
# Gestion des tickets
#========================================
# stockage des tickets
cas.ticket.registry.redis.host=redis
cas.ticket.registry.redis.database=0
cas.ticket.registry.redis.port=6379
cas.ticket.registry.redis.timeout=2000
cas.ticket.registry.redis.password=x
# Temps de session
# 72000 = 20H / 36000 = 10H
# Ticket Granting Ticket (TGT)
cas.ticket.tgt.primary.max-time-to-live-in-seconds=72000
cas.ticket.tgt.primary.time-to-kill-in-seconds=36000
# remember me
cas.ticket.tgt.remember-me.enabled=true
cas.ticket.tgt.remember-me.time-to-kill-in-seconds=72000
cas.tgc.crypto.enabled=true
#cas.tgc.crypto.encryption.key=x
#cas.tgc.crypto.signing.key=x
cas.tgc.crypto.encryption.key=x
cas.tgc.crypto.signing.key=x
cas.tgc.pin-to-session=true
cas.tgc.remember-me-max-age=-1
cas.tgc.auto-configure-cookie-path=true
cas.webflow.crypto.enabled=true
#cas.webflow.crypto.signing.key=x
#cas.webflow.crypto.encryption.key=x
cas.webflow.crypto.signing.key=x
cas.webflow.crypto.encryption.key=x
cas.webflow.crypto.signing.keySize=512
cas.webflow.crypto.encryption.keySize=16
cas.webflow.crypto.alg=AES
#========================================
# OpenID Connect
#========================================
cas.authn.oidc.core.issuer=https://${
cas.host.name}/cas/oidc
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/openid_connect_keystore.jwks
cas.authn.oauth.crypto.encryption.key=x
cas.authn.oauth.crypto.signing.key=x
cas.authn.oauth.access-token.crypto.encryption.key=x
cas.authn.oauth.access-token.crypto.signing.key=x
cas.authn.oauth.session-replication.cookie.crypto.enabled=true
cas.authn.oauth.session-replication.cookie.crypto.signing.key=x
cas.authn.oauth.session-replication.cookie.crypto.encryption.key=x
#========================================
# Theme Dev
#========================================
cas.theme.default-theme-name=default
# décommenter pour tester le modifs html sans redémarrer tomcat
# spring.thymeleaf.cache=false
#========================================
# Monitoring / Actuator / Endpoint
#========================================
# on desactive tout par default
management.endpoints.access.default=none
# On active les modules
management.endpoints.web.exposure.include=status
management.endpoint.status.enabled=true
# Configuration URL + identifiants
management.endpoints.web.base-path=/xxxx
#management.endpoints.web.exposure.include=health,info,metrics,prometheus,env,loggers,status
cas.monitor.endpoints.endpoint.status.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.status.required-ip-addresses=xxxx
spring.security.user.name=xxx
spring.security.user.password=xxx
#========================================
# User Self MGT
#========================================
#CasFeatureModule.AccountManagement.enabled=true