Looking for which domains need to be in the SANs for the LDAPs server as I have researched here and it is not exactly clear.
For each LDAPS DC that will serve as connection host for PWM I understand that a self-signed from AD CA or 3rd party CA that has a custom kerberos templated cert that auto-renews. The question I have is what domain names need to be in there:
Config shows both certs valid for Server A and Server B with only Server A listed in the LDAP URL section and listing both there (made zero difference if 1 LDAPS DC server was used or 2)
Option 1 - Server A and B DNS Listed only in their own certificates
Option 2 - Server A and B DNS Listed in Each Server's Certificate in the SAN section
Option 3 - Server A and B and C DNS Listed only in their own certificates
Option 4 - Server A and B and C DNS Listed in Each Server's Certificate in the SAN section
Option 5 - Server A and B and Root DNS Listed only in their own certificates
Option 6 - Server A and B and DNS Root Listed in Each Server's Certificate in the SAN section
Option 7 - Server A and B and C and Root DNS Listed only in their own certificates
Option 8 - Server A and B and C and Root DNS Listed in Each Server's Certificate in the SAN section
Having this error when trying to log in with any AD user account and everything tests fine in the config section and the Subject Name for the certificate on the LDAPS/DC servers match the server correctly but do not contain each other's domain name nor the root so trying to understand this requirement as it is not clear to me.
--------------------------------
An error has occurred. If this error occurs repeatedly please contact your help desk.
5015 ERROR_INTERNAL (unexpected error during ldap search (profile=default), error: 5015 ERROR_INTERNAL (ldap error during searchID=2, context=DC=example,DC=com, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException:
example.com:636, cause:javax.net.ssl.SSLHandshakeException: server certificate {subject=CN=
ServerB.example.com} does not match a certificate in the PWM configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=
ServerB.example.com} does not match a certificate in the PWM configuration trust store.))