• You might also encounter: apps manager login slow and app loading also slow.
• Applications dependent on LDAP authentication may be delayed up to 2 minutes. This includes cf login, or AppsManager if LDAP is used.
  
  
• Local UAA users will not see the delay.
• Output from UAA server uaa.log showing latency:

# LDAP authentication starts

[2021-08-27 03:06:43.812] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- ProviderManager: Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider

[2021-08-27 03:06:43.895] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- SpringSecurityLdapTemplate: Searching for entry under DN '', base = 'dc=example,dc=com', filter = 'samaccountname={0}'

[2021-08-27 03:06:43.895] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- SpringSecurityLdapTemplate: Found DN: CN=ExampleCN,OU=Users,DC=Example,DC=Com

# the UAA tomcat thread https-jsse-nio-8443-exec-8 idles for 2m11s, then proceeds

[2021-08-27 03:08:54.622] uaa - 17 [https-jsse-nio-8443-exec-8] .... INFO --- SpringSecurityLdapTemplate: Ignoring PartialResultException [2021-08-27 03:08:54.622] uaa - 17 [https-jsse-nio-8443-exec-8] .... DEBUG --- BindAuthenticator: Attempting to bind as cn=ExampleCN,ou=Users,dc=example,dc=com

Product Version: 2.10 - 4.0.14

This has been seen on Opsman version up to 3.0.37, but is not limited to the Opsman or Tanzu Application Service versions as the latency is experienced on the LDAP side.

When Tanzu Application Service for VMs (TAS for VMs) is integrated with Lightweight Directory Access Protocol (LDAP) identity provider, there is change with "cf login" where LDAP users experience significant latency (2 minutes). For more information, refer to Configure LDAP as an Identity Provider for TAS for VM.

This latency could be caused by unresponsive referrals contained in the response from the LDAP server.

By default, the LDAP client in TAS UAA takes the strategy "follow", which means it automatically follows any referrals returned by the LDAP server. The referrals may contain URLs to LDAP servers other than the one configured for TAS UAA. Processing the unresponsive referrals is the source of latency.

The LDAP client in UAA can be configured to ignore referrals and return partial result. See all possible settings in the UAA release spec file. In the TAS tile, please make the configuration change via the following steps.

1. Navigate to the Ops Manager Installation Dashboard.

2. Click the TAS for VMs tile.

3. Select Authentication and Enterprise SSO.

4. For LDAP referrals, select Ignore referrals and return partial result.

5. Click Save. Make a selective Apply Changes for TAS for VMs.

If the above configuration change does not resolve the issue, please contact VMware Tanzu Support for further assistance.

When reviewing UAA logging, the easiest way to track a single session is to start with the initial login attempt by searching for the failing username:

Login attempt starts:

[2025-06-20T06:18:35.828842Z] uaa - 13 [https-jsse-nio-8443-exec-63] - [a14052########################8f,7355########268f] .... DEBUG --- AuthzAuthenticationManager: Processing authentication request for USERNAME1

From this initial login message, gather the session ID (a14052########################8f,7355########268f in this example) and use it for tracking until the end of the session

The following UAA documentation provides a more detailed overview of how the LDAP authentication is performed.