LDAP TEST is ok but at login "No subject alternative DNS name"
992 views
Skip to first unread message
Marco Baiguera
Jan 25, 2022, 5:35:10 AM1/25/22
to pwm-general
While in configure editor i can test ldap connection and ldap test user and the result is ok (green lights) but when i try to login i receive the error:
5015 ERROR_INTERNAL (unexpected error during ldap search (profile=jesi), error: 5015 ERROR_INTERNAL (ldap error during searchID=0, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: DomainDnsZone******, cause:javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching DomainDnsZones***** found., cause:java.security.cert.CertificateException: No subject alternative DNS name matching DomainDnsZones**** found.))
I understand the meaning if the error message related to LDAP certificate.
I dont' understand why the test is successfull and then the application fails.
Is there any java parameter to set to overcome the problemwithout replacing the certificate ?
Thank you
Marco
Marco Baiguera
Jan 31, 2022, 8:51:44 AM1/31/22
to pwm-general
I found the problem and i think this is a bug.
My domain name is xxxx.domain.com
if i reference dc=xxxx,dc=domain,dc=com in LDAP Contextless Login Roots i get the error No subject alternative DNS name matching DomainDnsZones
My domain name is xxxx.domain.com
if i reference dc=xxxx,dc=domain,dc=com in LDAP Contextless Login Roots i get the error No subject alternative DNS name matching DomainDnsZones
but if i reference specific OUs instead of the domani root, the users can login and authenticate properly.
Hope this is useful to someone
jason.e...@gmail.com
Jan 31, 2022, 10:23:13 AM1/31/22
to pwm-general
Also, as a temporary measure until you issue a new proper ldap certificate, you can add to JAVA_OPTS or startup,
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
When you re-build your next certificate include everything in the san field, such as,
CN=domain.com
subjectAltName=domain.com,domaindnszones.domain.com,forestdnszones.domain.com
and if you have an older domain from way back also add to SAN field,
tapi3.domain.com
tapi3directory.domain.com
subjectAltName=domain.com,domaindnszones.domain.com,forestdnszones.domain.com
and if you have an older domain from way back also add to SAN field,
tapi3.domain.com
tapi3directory.domain.com
Jason Rivard
Feb 2, 2022, 2:52:11 AM2/2/22
to pwm-general
This has been discussed a few times on this list. It's because of the (insane?) way that AD LDAP does self-referrals. When you specify DC level contexts, the AD server doesn't answer the request but instead sends referrals to all the DC's using the DC naming as DNS naming for server, causing the LDAP client (PWM) to have to make a new connection to the referred server, even though 99% of time its the same server we started the request on in the first place. And this in turn requires that TLS certificates match those DNS names. AD won't issue referrals if you specify an LDAP context at the users container level and are pointing at a DC that has that domain local..... There are a articles discussing this behavior on technet..... somewhere...
Marco Baiguera
Feb 2, 2022, 4:15:12 AM2/2/22
to pwm-g...@googlegroups.com
Thank you, the answers were very useful.
Still i don't think the test should say ok when the login is not possible.
Thank you
Marco
--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/Z38iczIHXlE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/67ed3573-2d8f-4896-a166-6140ccb2c6f8n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages