Setup for AD parent and child domains?

[Paul Suh]

I'm trying to configure PWM for a AD setup that has parent and child domains, EXAMPLE.COM and FOO.EXAMPLE.COM

When I configure it for just the EXAMPLE.COM domain, everything works just fine -- account activations, password resets, etc. 

When I add an LDAP server for the FOO.EXAMPLE.COM domain, I get certificate errors: 

2018-01-17T17:49:10Z, WARN , provider.FailOverWrapper, unable to reach ldap server ldaps://dc2.example.com:636, last error: javax.naming.CommunicationException: FOO.EXAMPLE.COM:636, cause:javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: server certificate {subject=CN=DCFOO1.FOO.EXAMPLE.COM} does not match a certificate in the configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=DCFOO1.FOO.EXAMPLE.COM} does not match a certificate in the configuration trust store.

Anyone have any idea why PWM is trying to reach DCFOO1.FOO.EXAMPLE.COM (which is a domain controller for the FOO.EXAMPLE.COM domain), when it thinks it's talking to dc2.example.com? DCFOO1 isn't even the domain controller that I added to the PWM config -- I used DCFOO2. 

Has anyone successfully configured AD parent and child domains and can tell me what's going on? 

--Paul

[Paul Suh]

Just to follow up for the record, I had to make three changes to get things to work: 

1. Add the AD root certificate to C:\Program Files\Java\jre1.80_161\lib\security\cacerts
2. Update the build of PWM -- a co-worker had accidentally given me the wrong .war file
3. Tweak the PWM config back to the defaults for the most part

Almost everything is working, but users in the FOO.EXAMPLE.COM child domain are not able to change their own passwords either after login or via the Forgot Password link. I'm pretty sure that the problem is in the PWM config as users in the parent EXAMPLE.COM domain are authenticating as themselves while the users in the FOO.EXAMPLE.COM child domain are authenticating as the admin proxy user when a password change is attempted. (Account activations work just fine in the child domain.) 

[Jonathan Weinberg]

Hmmm. Not a direct solve, but you could try giving the Admin Proxy User "change password" permission for Users + Object w/Descendants on the OU you want to have users be able to to change passwords on?