Error 5015

[Ben Smith]

We are getting this error message and it doesn't make sense as the AD DC in the error isn't linked to PWM anymore. I've cleared and reimported LDAP certificates but when attempting to sign in it still produces the message that the server certificate doesn't match what's in the trust store.

We are currently on version PWM v1.8.0-SNAPSHOT b27066627 r625b13569b374576d02f1318f55f528d6fcb22f8

Any ideas what I am missing?

Error 5015

An error has occurred. If this error occurs repeatedly please contact your help desk.

5015 ERROR_UNKNOWN (unexpected error during ldap search (profile=password.pwm.config.profile.LdapProfile@38fd5219), error: 5015 ERROR_UNKNOWN (ldap error during searchID=1, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: fox.local:636, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: server certificate {subject=CN=OLD_DC.LOCAL} does not match a certificate in the configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN= OLD_DC.LOCAL} does not match a certificate in the configuration trust store.))

[Jason Rivard]

Your AD LDAP server is redirecting PWM to a different domain controller than the one you have configured.  AD does this because AD reasons.  The certificate you are trusting is the server cert for the configured LDAP server in PWM, thus the cert failure when connecting to the other domain controller.

You can solve this by trusting the CA cert instead of the server cert.  In 1.8 you can only do this by manually adding the CA cert to the PWM java keystore.  Current versions of PWM will import the CA cert instead of the server cert into the PWM configuration when using the configuration editor.

I strongly recommend updating PWM to the current release.  v1.8 is ancient and is using libraries with known security defects, you are inviting disaster by using that version.

[Ben Smith]

Hey Jason,

We upgraded to the latest and still getting this, but for some reason, occasionally.  It seems to produce this error sometimes, and other times it works just fine.

2023-05-19T18:39:16Z, WARN , search.UserSearchEngine, {Exd24} searchID=0-0 error during user search: 5015 ERROR_INTERNAL (unexpected error during ldap search (profile=default), error: 5015 ERROR_INTERNAL (ldap error during searchID=0, context=DC=abc,DC=local, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: fox.local:636, cause:javax.net.ssl.SSLHandshakeException: server certificate {subject=CN=OLD_DC01.local} does not match a certificate in the PWM configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN= OLD_DC01.local} does not match a certificate in the PWM configuration trust store.)) [10.146.1.27]

[Jason Rivard]

Did you import the CA cert into the config?   Are all the DC server certs actually signed by the CA cert?

[Ben Smith]

I believe so yes, as I had both our new DCs added under LDAP URLs, and have imported their certificates in PWM.

[jason.e...@gmail.com]

Whats is in your ad certificate for subject alternate name?