Error 5015 unbalanced parenthesis

[Steve Handy]

Good Evening All,

   Can someone please assist? I setup PWM using the localDB connecting to my Active Directory. I am using this LDAP search string:

(&(objectClass=person)(|(myCurrentName=%USERNAME%)(|(sAMAccountName=%USERNAME%)(cn=%USERNAME%)(mail=%USERNAME%)))

When trying to login with an AD account to test password changes - I get the following error

"5015 ERROR_INTERNAL (unexpected error during ldap search (profile=default), error: 5015 ERROR_INTERNAL (ldap error during searchID=2, context=DC=hinda,DC=local, error=javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis))"

Can someone please assist if possible?

Thanks

Steve 

[jason.e...@gmail.com]

should be,

(&(objectClass=person)(|(myCurrentName=%USERNAME%)(sAMAccountName=%USERNAME%)(cn=%USERNAME%)(mail=%USERNAME%)))

you had 1 addtional OR's | wrapped separately

[Steve Handy]

Jason - Thank you. However I am getting a new error:

5015 ERROR_INTERNAL (unexpected error during ldap search (profile=default), error: 5015 ERROR_INTERNAL (ldap error during searchID=1, context=DC=hinda,DC=local, error=javax.naming.PartialResultException, cause:javax.naming.CommunicationException: hinda.local:636, cause:javax.net.ssl.SSLHandshakeException: server certificate {subject=CN=HCHIWINDC2.hinda.local} does not match a certificate in the PWM configuration trust store., cause:java.security.cert.CertificateException: server certificate {subject=CN=HCHIWINDC2.hinda.local} does not match a certificate in the PWM configuration trust store.))

From the configuration manager - I have imported the cert from my AD server.

Steve

[Steve Handy]

So it looks like the cert that PWM imported has a different expiration date - 12-19-2021 than the actual cert on my AD server 12-19-2025. I am assuming this is a bug with PWM. PWM looks nice but it appears to be buggy. I will go find a different product to use.

Thanks

Steve

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/zN8_IoutZCQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/1755e0ac-41b8-4eb8-ad38-b2f4805f52c2n%40googlegroups.com.

[Jason Everling]

Pretty sure its because each of your domain controllers has a different certificate, did you add all your domain controller connections in config then import, it will import each certificate.

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CAMd8o5kKoM6u4s5DF6ZDbs-Th0dL7Ea23%2BKkgETYFgHr65HsSA%40mail.gmail.com.

 

[Steve Handy Jr]

Hi Jason - I only added one of my domain controllers but each domain controller has the same certificate. My department just used a 3rd party company to install a new certificate on both domain controllers a few weeks ago 

Anyhow my plan is to use ManageEngine and move forward 

Thanks for all of you help

Steve  

Sent from my iPhone

On Jan 1, 2021, at 9:34 AM, Jason Everling <jason.e...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/46C9D3B5-9A35-46A5-B725-AC5F86CC0AC0%40hxcore.ol.

[jason.e...@gmail.com]

no problem, but because of the way AD works, just because you told PWM to communicate with only 1 domain controller AD says nah, I want to send you to a different domain controller instead :/ So for future readers, ensure you add all domain controllers and import certs

[robert...@uwrf.edu]

Jason -

Since the topic of certificate trusts came up in this thread, is there any way to load a CA certificate and trust certs issued by that CA? We're using commercial certificates with our AD as well and keeping them up-to-date is getting more challenging with the combination of reduced certificate life (now max of 398 days I believe) and the fact that AD wants to use the certificate that expires last for LDAP connections. This increases our replacement frequency even further (every 6 months?) to try to keep our commercial certificates expiring later than the DC's domain CA-issued certificates. If we could trust a CA chain, I think we could roll to using just our domain certificates and not have to worry about commercial ones for this.

-Robert

[Jason Everling]

yes you can, if you import your root certificate into the truststore for java, the java your using for tomcat, then you dont need to import in pwm nor do you have to load each server certificate

---

From: pwm-g...@googlegroups.com <pwm-g...@googlegroups.com> on behalf of robert...@uwrf.edu <robert...@uwrf.edu>
Sent: Monday, January 4, 2021 11:54:17 AM
To: pwm-general <pwm-g...@googlegroups.com>

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/9dfed9e5-c85f-4015-9f2f-9534895ca318n%40googlegroups.com.

[Jason Rivard]

Manipulating the java truststore is not necessary.  You can import the CA root from inside the configuration.

See Settings ⇨ Security ⇨ Application Security ⇨ Certificate Validation Mode.

-Jason