Trying to configure in Configuration / 3rd Party / LDAP dialog with SSL, on saving the following error is obtained:

PAM-CM-0270: LDAP bind fail: Cannot contact LDAP server

Id using LDAP with no SSL port 389, saving this is successful.

It has been verified that port 636 is open, the DNS properly configured and name resolution works fine. The user used for binding is a Domain Administrator.

User is domain administrator (we will reduce privileges later).

Message

PAM-CM-3432: Cannot connect to a domain controller on the specified domain

is also obtained when try to update a Target Account from that specific Domain Controller in PAM

CA PAM all releases

One of the common misconceptions is that setting up a Domain Controller will automatically set it up for access through SSL

The fact is that to be able to launch operations via secure port 636, a Domain Controller (or LDAPS server) must have a Server Certificate installed which will allow the secure handshake from the client (in this case PAM)

That certificate is not set by default and it must be generated accordingly.

This situation is easy to spot in PAM. If credential management is used, as is the use case described above, updating a target AD account will result in the following errors being reported in the credential management tomcat logs

2023-09-05T07:25:46.427+0000 SEVERE [TP3] org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest Message failed : something wrong has occurred
2023-09-05T07:25:46.427+0000 SEVERE [TP3] com.ca.pam.rest.LDAPService.createLdapConfig LDAP Bind fail: Cannot contact LDAP server 1.2.3.4
2023-09-05T07:29:36.736+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate Failed to retrieve certificate from DC at 'null, hostName=1.2.3.4, port=636', port=636

2023-09-05T07:29:36.736+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer Failed authentication to Active Directory using account 'myPAM'
    com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate cannot be retrieved from the domain controller

A certificate needs to be generated for the Domain Controller to which PAM is trying to connect. There is plenty of information about how to do it: see for instance the section devoted to deploying a certificate at the domain controller in the following Microsoft documentation:

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki

Any third party LDAP browser tool may be used to verify that the certificate is correctly set and port 636 is responding accordingly.

For instance the simple LDAP browser jxplorer (www.jxplorer.org) is a simple useful tool to check connections outside PAM