<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thank you, Chris, for the insight. I agree that I will need to approach the administrator for that load balancer (or proxy or whatever that mechanism is) for some collaboration on this.<div class=""><br class=""></div><div class="">Cheers!</div><div class="">-Jim<br class=""><div class="">
<div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;"><br class="Apple-interchange-newline"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;">Jim Lookabaugh</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;" class="">Exclamation Labs<br class="">300 Washington Street<br class="">Cumberland, MD 21502<br class="">888.545.5008 or 301.722.5008</div><div style="text-align: start; text-indent: 0px;" class="">240.860.1847 direct<br class="">fax 301.722.2183</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;" class=""><a href="mailto:jlookabaugh@exclamationlabs.com" class="">jlookabaugh@exclamationlabs.com</a><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; text-align: start; text-indent: 0px;" class=""><a href="http://www.exclamationlabs.com" class="">www.exclamationlabs.com</a><br class="">www.provisioniam.com</div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On May 21, 2021, at 1:13 PM, <a href="mailto:midpoint-request@lists.evolveum.com" class="">midpoint-request@lists.evolveum.com</a> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Send midPoint mailing list submissions to<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><a href="mailto:midpoint@lists.evolveum.com" class="">midpoint@lists.evolveum.com</a><br class=""><br class="">To subscribe or unsubscribe via the World Wide Web, visit<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>https://lists.evolveum.com/mailman/listinfo/midpoint<br class="">or, via email, send a message with subject or body 'help' to<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>midpoint-request@lists.evolveum.com<br class=""><br class="">You can reach the person managing the list at<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>midpoint-owner@lists.evolveum.com<br class=""><br class="">When replying, please edit your Subject line so it is more specific<br class="">than "Re: Contents of midPoint digest..."<br class=""><br class=""><br class="">Today's Topics:<br class=""><br class=""> 1. Re: [Newsletter] Flexible Auth: ldap connection issues<br class=""> (Chris Woods)<br class=""><br class=""><br class="">----------------------------------------------------------------------<br class=""><br class="">Message: 1<br class="">Date: Fri, 21 May 2021 17:13:34 +0000<br class="">From: Chris Woods <Chris.Woods@rohde-schwarz.com><br class="">To: midPoint General Discussion <midpoint@lists.evolveum.com><br class="">Subject: Re: [midPoint] [Newsletter] Flexible Auth: ldap connection<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>issues<br class="">Message-ID: <019006274cfe4e99b4aaa1928af26f4e@rohde-schwarz.com><br class="">Content-Type: text/plain; charset="utf-8"<br class=""><br class="">Hi Jim,<br class=""><br class=""><br class="">that usually means that the certificate being presented by the (presumably load balancer?) is either self-signed or issued by a CA, whose certificate isn’t in your trust store (either specified explicitly with -Djavax.net.ssl.trustStore or implicitly from the JDK/JRE).<br class=""><br class=""><br class=""><br class="">openssl s_client -connect <loadbalancer_hostname>:636 –showcerts<br class=""><br class=""><br class=""><br class="">should give you the certificate chain. There might be a hint here regarding self-signed certificate. If not, maybe you just need to import the CA certificate into your trust store (we do the same, because our certificates are issued by our internal PKI and not included in the standard cacerts truststore that comes with the JRE).<br class=""><br class=""><br class=""><br class="">Regards,<br class=""><br class="">Chris<br class="">.<br class=""><br class="">From: midPoint <midpoint-bounces@lists.evolveum.com> On Behalf Of Jim Lookabaugh via midPoint<br class="">Sent: Friday, May 21, 2021 6:17 PM<br class="">To: midpoint@lists.evolveum.com<br class="">Cc: Jim Lookabaugh <jlookabaugh@exclamationlabs.com><br class="">Subject: *EXT* [Newsletter] [midPoint] Flexible Auth: ldap connection issues<br class=""><br class="">I have attempted to configure a flexible authentication module for ldap (AD) where the environment relies on a cluster of domain controllers. In this scenario, eventually authentication through this channel fails. The log indicates success for a time, then indicates a connection closure, and thereafter shows a PKIX path building failure (I take that to superficially mean a certificate verification failure). Yet, by explicitly configuring a given domain controller in the security policy on occasion, connecting to that specific endpoint has worked. It appears to me that the clustered approach is what’s thorny here rather than a certificate/TLS matter. I think this may, under the covers, be due to a connection caching/pooling and refresh issue, as it appears to occur when given time — perhaps time for the environment to route requests to another member of the cluster.<br class=""><br class="">This ldap cluster serves both purposes of authentication into midPoint and of an identity/provisioning resource. A similar issue apparently impacts my resource connection to this same ldap (AD) cluster. I was forced to set “Allow untrusted SSL/TLS” to true, which seems to have prevented recurrence of the connection problems. That resource configuration has one of the four domain controllers set as the “Host”, and the other three are set as “Servers”. It is important to note that when I configure this resource for only one ldap (AD) domain controller at a time AND for requiring trusted TLS --- and testing each of the four this way, no PKIX path building failure seems to occur. But that may be due to not allowing enough time to pass for a load balancer reroute of traffic.<br class=""><br class="">The certificate and the sole CA’s certificate in the signing chain for each of the four domain controllers are installed in the trust store. So, I am led to believe that it’s not truly a PKIX path building failure. I’ve pasted an excerpt from my log below my signature. Is a connection/socket closure typical for clustered environments which the client should recover from?<br class=""><br class="">Jim Lookabaugh<br class="">Exclamation Labs<br class="">300 Washington Street<br class="">Cumberland, MD 21502<br class="">888.545.5008 or 301.722.5008<br class="">240.860.1847 direct<br class="">fax 301.722.2183<br class="">jlookabaugh@exclamationlabs.com<mailto:jlookabaugh@exclamationlabs.com><br class="">www.exclamationlabs.com<http://www.exclamationlabs.com><br class="">www.provisioniam.com<http://www.provisioniam.com><br class=""><br class=""><br class="">= = = = =<br class="">2021-xx-xx 12:57:32,868 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource): URL 'ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com', root DN is 'DC=myowncorp,DC=com'<br class="">2021-xx-xx 12:57:32,896 [] [http-nio-8080-exec-10] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com<br class="">2021-xx-xx 12:57:33,109 [] [http-nio-8080-exec-10] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter@c02f71c, org.springframework.security.web.csrf.CsrfFilter@60cd69b4<mailto:org.springframework.security.web.csrf.CsrfFilter@60cd69b4>, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@4db27ca8<mailto:com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@4db27ca8>, org.springframework.security.web.authentication.logout.LogoutFilter@5693cb71<mailto:org.springframework.security.web.authentication.logout.LogoutFilter@5693cb71>, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter@2fe0dfda<mailto:com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter@2fe0dfda>, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@38408be<mailto:org.springframework.security.web.savedrequest.RequestCacheAwareFilter@38408be>, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@70405950<mailto:org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@70405950>, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@640564cb<mailto:com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@640564cb>, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@31abb100<mailto:com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@31abb100>, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@2e47db4f<mailto:org.springframework.security.web.access.intercept.FilterSecurityInterceptor@2e47db4f>]<br class="">2021-xx-xx 12:59:01,662 [] [http-nio-8080-exec-7] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/emergency/internalLoginForm/**'], [org.springframework.security.web.header.HeaderWriterFilter@7b486355, org.springframework.security.web.csrf.CsrfFilter@788669db<mailto:org.springframework.security.web.csrf.CsrfFilter@788669db>, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@1147d5b6<mailto:com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@1147d5b6>, org.springframework.security.web.authentication.logout.LogoutFilter@29ad491d<mailto:org.springframework.security.web.authentication.logout.LogoutFilter@29ad491d>, com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter@28906c98<mailto:com.evolveum.midpoint.web.security.filter.MidpointUsernamePasswordAuthenticationFilter@28906c98>, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4092633f<mailto:org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4092633f>, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@9386989<mailto:org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@9386989>, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@3a989faa<mailto:com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@3a989faa>, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@7c8fe846<mailto:com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@7c8fe846>, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@25fa86ab<mailto:org.springframework.security.web.access.intercept.FilterSecurityInterceptor@25fa86ab>]<br class="">2021-xx-xx 13:01:47,035 [] [http-nio-8080-exec-23] WARN (com.exclamationlabs.connid.base.redcarpet.driver.RedCarpetUserInvocator): method: null msg:User not found for id: connectionTest<br class="">2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.DefaultSpringSecurityContextSource): URL 'ldaps://serverA.myowncorp.com:636/DC=myowncorp,DC=com', root DN is 'DC=myowncorp,DC=com'<br class="">2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.ldap.search.FilterBasedLdapUserSearch): SearchBase not set. Searches will be performed from the root: dc=myowncorp,dc=com<br class="">2021-xx-xx 13:57:59,245 [] [http-nio-8080-exec-20] INFO (org.springframework.security.web.DefaultSecurityFilterChain): Creating filter chain: Ant [pattern='/auth/default/ldapAuth/**'], [org.springframework.security.web.header.HeaderWriterFilter@7774913d, org.springframework.security.web.csrf.CsrfFilter@7a5d5a6e<mailto:org.springframework.security.web.csrf.CsrfFilter@7a5d5a6e>, com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@cd0a10c<mailto:com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter@cd0a10c>, org.springframework.security.web.authentication.logout.LogoutFilter@5ffe2eb7<mailto:org.springframework.security.web.authentication.logout.LogoutFilter@5ffe2eb7>, com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter@26ff4f05<mailto:com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter@26ff4f05>, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@12086a5c<mailto:org.springframework.security.web.savedrequest.RequestCacheAwareFilter@12086a5c>, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4645e66b<mailto:org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4645e66b>, com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@500b50f4<mailto:com.evolveum.midpoint.web.security.filter.MidpointAnonymousAuthenticationFilter@500b50f4>, com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@142320f8<mailto:com.evolveum.midpoint.web.security.filter.MidpointExceptionTranslationFilter@142320f8>, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@fe6785d<mailto:org.springframework.security.web.access.intercept.FilterSecurityInterceptor@fe6785d>]<br class="">2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]<br class="">org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]<br class=""> at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)<br class=""> at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)<br class="">Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]<br class=""> at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)<br class=""> at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)<br class="">Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636><br class=""> at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)<br class="">Caused by: java.net.SocketException: Connection or outbound has closed<br class=""> at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)<br class=""> at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)<br class=""> at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)<br class=""> at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)<br class=""> at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)<br class="">2021-xx-xx 13:58:08,710 [MODEL] [http-nio-8080-exec-22] ERROR (com.evolveum.midpoint.web.security.filter.LdapAuthenticationFilter): An internal error occurred while trying to authenticate the user.<br class="">org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]<br class=""> at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)<br class=""> at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)<br class="">Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is java.net.SocketException: Connection or outbound has closed]<br class=""> at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)<br class=""> at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)<br class="">Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636><br class=""> at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)<br class="">Caused by: java.net.SocketException: Connection or outbound has closed<br class=""> at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1190)<br class=""> at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)<br class=""> at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)<br class=""> at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)<br class=""> at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)<br class="">2021-xx-xx 13:58:18,242 [] [http-nio-8080-exec-20] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]<br class="">org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]<br class=""> at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider$1.doAuthentication(MidPointLdapAuthenticationProvider.java:71)<br class=""> at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointLdapAuthenticationProvider.internalAuthentication(MidPointLdapAuthenticationProvider.java:167)<br class=""> at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)<br class="">Caused by: org.springframework.ldap.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636>; nested exception is javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]<br class=""> at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)<br class=""> at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)<br class=""> at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802)<br class="">Caused by: javax.naming.CommunicationException: simple bind failed: serverA.myowncorp.com:636<http://servera.myowncorp.com:636><br class=""> at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2792)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)<br class=""> at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)<br class="">Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<br class=""> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)<br class=""> at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)<br class=""> at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)<br class=""> at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)<br class=""> at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)<br class="">Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<br class=""> at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)<br class=""> at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)<br class=""> at java.base/sun.security.validator.Validator.validate(Validator.java:264)<br class=""> at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)<br class=""> at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)<br class="">Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target<br class=""> at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)<br class=""> at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)<br class=""> at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)<br class=""> at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)<br class=""> at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)<br class=""><br class="">-------------- next part --------------<br class="">An HTML attachment was scrubbed...<br class="">URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210521/ef009cf1/attachment.htm><br class=""><br class="">------------------------------<br class=""><br class="">Subject: Digest Footer<br class=""><br class="">_______________________________________________<br class="">midPoint mailing list<br class="">midPoint@lists.evolveum.com<br class="">https://lists.evolveum.com/mailman/listinfo/midpoint<br class=""><br class=""><br class="">------------------------------<br class=""><br class="">End of midPoint Digest, Vol 109, Issue 14<br class="">*****************************************<br class=""></div></div></blockquote></div><br class=""></div></body></html>