StartTLS problem

Rastko Isajev risajev at
Fri Mar 1 05:20:34 EST 2013

Thank you Peter for your clarifications.

I have two questions.

1.) I have originally installed hibboleth with .msi file on Windows 7 64.
LDAP, that I am using has been originaly configured to work only with one
enabled connection handler -LDAP on port 389 that has  StartTLS disabled,
no certificates and stuff. That was plane let say. When I have started
Tomcat IdP app was stopped. When I have tried to start I got error from
Shibbolets idp-process.log :

[LDAP: error code 52 - StartTLS cannot be enabled on this LDAP client
connection because the corresponding LDAP connection handler is configured
to reject StartTLS requests.  The use of StartTLS can be enabled using the
ds-cfg-allow-start-tls configuration attribute]

, from here I see that client side (Shibboleth) is requiring TLS. Correct
me if I am wrong. Based on your last response it should not be initiated as
an default behavior.

2.) I have tried another solution. I have created
certificate, installed into LDAP JKS store, set on LDAP 389 connection
handler usage of StartTLS. Then I have added that certificate into java
central keystore - C:\Program
Files\Java\jdk1.6.0_37\jre\lib\security\cacerts. Then I got another error : PKIX path building failed: unable to find
valid certification path to requested target

then I saw that in Shibboleth directory there is another one keystore,
where probably I have to add certificate ? But I do not know password for
keystore to open it. (it is not anything from commons such as password or
changeit or shibks or something).


On Thu, Feb 28, 2013 at 3:46 PM, Peter Schober
<peter.schober at>wrote:

> * Rastko Isajev <risajev at> [2013-02-28 15:11]:
> > I am facing with problems because of StartTLS that is mandatory when
> > Shibboleth is calling LDAP connection handler.
> The Shibboleth software does not have such a requirement, but your DSA
> might have.
> If your LDAP server requires the use of TLS and your IdP's JVM cannot
> trust the certificate you need to fix one or the other:
> Get a proper certificate onto the LDAP server or configure the IdP's
> JVM so it has a valid trust path to the issuer of the LDAP server
> certificate (e.g. by adding any missing CA or intermediary CA
> certificates into the trust store).
> Either way, Shibboleth has no role in this.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at

Kind regards,



Rastko Isajev
*Software Developer*

D: +381-11-785-6561


[image: CallidusCloud Connections]<> CallidusCloud 
Connections, Las Vegas, May 5-7, 2013, REGISTER NOW<>
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list