CAS AD LDAP 32 error

Question

I am seeing this when I try to login with CAS which is authenticating against AD over LDAP.

SEVERE: Servlet.service() for servlet cas threw exception
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:
    ''
]; remaining name '/'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3092)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1829)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
    at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)
    at org.springframework.ldap.core.LdapTemplate$3.executeSearch(LdapTemplate.java:231)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:588)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:546)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:401)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:421)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:441)

Up to that point I was authenticated by the BindLdapAuthenticationHandler, resolved, it generated a query builder and then threw this.

I think it is failing when it is trying to get attributes back. Why is the remaining name '/'?

score 8 · Accepted Answer · answered Nov 18 '11 at 13:07

8

Remaining name is a part of a DN that wasn't actually found at a certain level of a DIT. For example when you search cn=johns,ou=marketing,dc=example,dc=com and ou=marketing,dc=example,dc=com exists but cn=johns does not exists inside of ou=marketing then the remaning name would be cn=johns.

'/' does not look like a valid RDN. I would recommend to verify what you pass as a search base. Most likely it's an invalid DN string.

answered Nov 18 '11 at 13:07

Kirill Kovalenko

2,121
16
18

I instead got an empty remaining name, that is, "", which looks even stranger, issue is described [here](http://stackoverflow.com/q/39372374/5606016) (and it actually has an open bounty) – A_Di-Matteo Sep 12 '16 at 20:40

score 3 · Answer 2 · answered Nov 18 '11 at 12:49

3

LDAP error code 32 means "no such object", in this case, perhaps the base object of the search did not exist.

answered Nov 18 '11 at 12:49

Terry Gardner

10,957
2
28
38

I can confirm that this was the cause of the problem, an empty base object. – sorin Nov 04 '14 at 15:19

CAS AD LDAP 32 error

2 Answers2

Linked