search cancel

LDAP Accounts unable to login

book

Article ID: 237874

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM Admin noticed in their test environment they are getting the following errors when attempting to log into PAM via LDAP:

PAM-CMN-0629: LDAPS connection made to <domain controller>:636.

PAM-CMN-0900: Bad User ID or Password.

PAM-CMN-0979: LDAP authentication failed for user <username> with error code (-1) and error string (Error in the pull function.: Unknown).

 

Cause

Domain Controller didn't have a valid certificate to use for ldaps://

Environment

Release : 3.4.x, 4.0.x

Component : PRIVILEGED ACCESS MANAGER

Resolution

Ultimately in our logs, we show the following errors when connection to:

PAM-CM-3433: Certificate cannot be retrieved from the domain controller

PAM doesn't require the root certificate for the domain controller, for us to integrate with ldaps.

However a valid certificate must come back that is:  trusted and non-expired, if we are to integrate with it.