Customer is configuring LDAP connection to AD via LDAPS connection(TCP Port 636).
Where should the Certificate Chain need to be imported for LDAPS connection?
PAM trusts all the server certs during LDAPS connections.
When you configured LDAPS for the first time, you might not have imported any certificate chain and successfully established LDAPS due to the above reason.
Having Cipher suite mismatch is a different matter.
Especially when PAM is running in FIPS mode, the LDAP Browser may fail to establish connection to LDAPS due to cipher mismatch if certain ciphers are disabled at the LDAP server side.
This is due to LDAP Browser(JXPlorer) not supporting the most current ciphers suite.
If your PAM server was configured in FIPS mode and if the LDAPS was working fine and you can connect using LDAP Browser(JXPlorer) then there is no problem.
If you started to harden the LDAP server by restricting the certain cipher suites then LDAP Browser may encounter cipher mismatch.
In that case customer will need to capture packets between PAM and LDAP server to determine which ciphers need to be allowed to avoid this issue.
Note that PAM 3.3 will be shipping with updated JXPlorer to support newer ciphers including Diffie-Hellman cipher suites that enable Perfect Forward Secrecy (PFS)
Setting up LDAPS connection in PAM: https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=130290