<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I have attempted to configure a flexible authentication module for ldap (AD) where the environment relies on a cluster of domain controllers. In this scenario, eventually authentication through this channel fails. The log indicates success for a time, then indicates a connection closure, and thereafter shows a PKIX path building failure (I take that to superficially mean a certificate verification failure). Yet, by explicitly configuring a given domain controller in the security policy on occasion, connecting to that specific endpoint has worked. It appears to me that the clustered approach is what’s thorny here rather than a certificate/TLS matter. I think this may, under the covers, be due to a connection caching/pooling and refresh issue, as it appears to occur when given time — perhaps time for the environment to route requests to another member of the cluster.<br class=""><div class="">
<div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;"><br class="Apple-interchange-newline">This ldap cluster serves both purposes of authentication into midPoint and of an identity/provisioning resource. A similar issue apparently impacts my resource connection to this same ldap (AD) cluster. I was forced to set “Allow untrusted SSL/TLS†to true, which seems to have prevented recurrence of the connection problems. That resource configuration has one of the four domain controllers set as the “Hostâ€, and the other three are set as “Serversâ€. It is important to note that when I configure this resource for only one ldap (AD) domain controller at a time AND for requiring trusted TLS --- and testing each of the four this way, no PKIX path building failure seems to occur. But that may be due to not allowing enough time to pass for a load balancer reroute of traffic.</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;">The certificate and the sole CA’s certificate in the signing chain for each of the four domain controllers are installed in the trust store. So, I am led to believe that it’s not truly a PKIX path building failure. I’ve pasted an excerpt from my log below my signature. Is a connection/socket closure typical for clustered environments which the client should recover from?</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;">Jim Lookabaugh</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;" class="">Exclamation Labs<br class="">300 Washington Street<br class="">Cumberland, MD 21502<br class="">888.545.5008 or 301.722.5008</div><div style="text-align: start; text-indent: 0px;" class="">240.860.1847 direct<br class="">fax 301.722.2183</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;" class=""><a href="mailto:jlookabaugh@exclamationlabs.com" class="">jlookabaugh@exclamationlabs.com</a><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;" class=""><a href="http://www.exclamationlabs.com" class="">www.exclamationlabs.com</a><br class="">www.provisioniam.com</div></div>
</div>
<div><br class=""></div><div><br class=""></div><div>= = = = =</div><div><div>2021-xx-xx 12:57:32,868 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource): URL '<a href="ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com" class="">ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com</a>', root DN is 'DC=myowncorp,DC=com'</div><div>2021-xx-xx 12:57:32,896 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com</div><div>2021-xx-xx 12:57:33,109 [] [http-nio-8080-exec-10] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter@c02f71c, org.springframework.security.web.csrf.CsrfFilter@60cd69b4, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@4db27ca8, org.springframework.security.web.authentication.logout.LogoutFilter@5693cb71, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter@2fe0dfda, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@38408be, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@70405950, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@640564cb, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@31abb100, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@2e47db4f]</div><div>2021-xx-xx 12:59:01,662 [] [http-nio-8080-exec-7] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/emergency/internalLoginForm/**'], [org.springframework.security.web.header.HeaderWriterFilter@7b486355, org.springframework.security.web.csrf.CsrfFilter@788669db, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@1147d5b6, org.springframework.security.web.authentication.logout.LogoutFilter@29ad491d, com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter@28906c98, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4092633f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@9386989, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@3a989faa, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@7c8fe846, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@25fa86ab]</div><div>2021-xx-xx 13:01:47,035 [] [http-nio-8080-exec-23] WARN (com.exclamationlabs.connid.base.redcarpet.driver.RedCarpetUserInvocator): method: null msg:User not found for id: connectionTest</div><div>2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource): URL '<a href="ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com" class="">ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com</a>', root DN is 'DC=myowncorp,DC=com'</div><div>2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com</div><div>2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter@7774913d, org.springframework.security.web.csrf.CsrfFilter@7a5d5a6e, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@cd0a10c, org.springframework.security.web.authentication.logout.LogoutFilter@5ffe2eb7, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter@26ff4f05, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@12086a5c, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4645e66b, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@500b50f4, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@142320f8, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@fe6785d]</div><div>2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is java.net.SocketException: Connection or outbound has closed]</div><div>org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is java.net.SocketException: Connection or outbound has closed]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)</div><div>Caused by: org.springframework.ldap.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is java.net.SocketException: Connection or outbound has closed]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)</div><div>Caused by: javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)</div><div>Caused by: java.net.SocketException: Connection or outbound has closed</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)</div><div>2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter): An internal error occurred while trying to authenticate the user.</div><div>org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is java.net.SocketException: Connection or outbound has closed]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)</div><div>Caused by: org.springframework.ldap.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is java.net.SocketException: Connection or outbound has closed]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)</div><div>Caused by: javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)</div><div>Caused by: java.net.SocketException: Connection or outbound has closed</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)</div><div>2021-xx-xx 13:58:18,242 [] [http-nio-8080-exec-20] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]</div><div>org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)</div><div>Caused by: org.springframework.ldap.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a>; nested exception is javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)</div><div>Caused by: javax.naming.CommunicationException: simple bind failed: <a href="http://servera.myowncorp.com:636" class="">serverA.myowncorp.com:636</a></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)</div><div>Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)</div><div>Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.validator.Validator.validate(Validator.java:264)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)</div><div>Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)</div><div class=""><br class=""></div></div></body></html>