Error 5015 Upon Login/Setup

[joseph...@pearsallisd.org]

We recently started trying to set PWM up in our district but are running into issues. The main issue we are getting is error 5015.

Error 5015
An error has occurred. If this error occurs repeatedly please contact your help desk.

5015 ERROR_UNKNOWN (unexpected error during ldap search (profile=default), error: 5015 ERROR_UNKNOWN (ldap error during searchID=1, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: ourdomain.org:636, cause:java.net.ConnectException: Connection timed out: connect))

The LDAP Contextless Login Roots is set to "DC=ourdomain,DC=org" I'm not sure if this would be an issue.

This does not always happen immediately though. It mainly happens when a user tries to login a few minutes after the server is first configured. It allows me and others to connect to our Microsoft AD server the first 30 minutes and then we all get prompted with Error 5015 upon login. Eventually, it will let us login back in but it takes up to an hour.

I have tried redoing PWM multiple times but we always end up back at 5015. Sometimes I cannot even get passed adding the domain group for PWM admins. Half the time it works fine and I can see the users in the group. Others it will give the Error 5015 when I try and look at the users in the group before hitting next but I still get the green light because the group DN is correct. Today I also ran into the issue of it did not immediate timeout during setup but I showed 0 users in the group even though there are two users in it.

We are trying to get this running on a Windows Server 2016 Standard server. Our schema has been expanded properly and the permissions for users to use them. The version we are using is "PWM v1.8.0-SNAPSHOT b31814690 rdeca9b1e3a39f38ba6213c6f340b9983cc975516"

Any help would be greatly appreciated. Thank you in advance!

[Jason Rivard]

1) If your using microsoft AD integrated DNS, make sure PWM is pointed at an AD DNS server.

2) If your not using microsoft AD integrated DNS, make sure there is an entry for each level of your AD container structure.   'ourdomain.org' needs to resolve to a domain controller in your domain.

Read https://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx or google for more info about AD's insanity inducing DNS requirements.

[lbro...@gmail.com]

Did you ever have any luck resolving this error?

Thanks!

[roz...@gmail.com]

I came across this issue and resolved it with a temporary fix. PWM will look for domain.com regardless of which Domain Controller you configure during setup. If you do an nslookup domain.com from the host machine, you'll get the IP it's pointing to, along with all of the alternate domain controllers.

You need to make sure domain.com resolves to the domain controller holding the primary DNS role. Roles are often times split between physical DCs so this can cause a problem. I just edited my local /etc/hosts file and resolved domain.com to the IP of the DC holing the primary DNS role and it has been working great since.

[Eduardo Pastrana]

Hi despite this topic is quite old just happened to me.

Why? This morning I moved an OU in my AD and PWM in logs was complaining thta coulnt find that OU in its original place.

How I solved?

Stop PWM in Tomcat, change in PwmConfiguration.xml the key="configIsEditable" to true, start PWM in Tomcat then access to PWM and open the config editor. Under the LDAP section in

LDAP Contextless Login Roots delete the OU in conflict.

Change back the XML key="configIsEditable" to false, start Tomcat and enjoy.

Eduardo