search cancel

LDAP Refresh Connections Are Inconsistent

book

Article ID: 203253

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When PAM LDAP integration is configured with multiple domain controllers and SSL communication, the LDAP refresh intermittently results in the following error. When it is configured to use non-SSL communication, it works consistently.

Environment

Privileged Access Manager 3.x

Cause

The inconsistent behavior is caused by one or more DCs in the environment not being properly configured for SSL communication. To confirm which DC caused the error, go to Configuration > Diagnostics > Diagnostic Logs, click on the Download tab, and click View Recent Log Entries next to Tomcat Logs. The following error can be found in the logs, which mentions the IP of the DC that caused the error.

Nov 10, 2020 4:57:59 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'PAMLDAPADMIN'
com.cloakware.cspm.server.app.ApplicationException: Connection reset
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.convertToApplicationException(WindowsDomainServiceTargetManager.java:1411)
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.createLDAPContext(WindowsDomainServiceTargetManager.java:1304)
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1121)
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyPasswordInActiveDirectory(WindowsDomainServiceTargetManager.java:732)
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(WindowsDomainServiceTargetManager.java:695)
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(WindowsDomainServiceTargetManager.java:1831)
    at com.cloakware.cspm.server.app.TargetManager.run(TargetManager.java:668)
Caused by: javax.naming.CommunicationException: 10.1.1.1:636 [Root exception is javax.net.ssl.SSLException: Connection reset]

Resolution

As a workaround, take the domain controller out of the configuration so PAM will not communicate with it. Once the server has been properly configured for SSL communication, add it back.

Attachments