idp.authn.LDAP.sslConfig set to jvmTrust odity

Jeffrey Crawford jeffreyc at
Fri May 8 22:20:50 EDT 2015

I'm been playing around with IdP v 3.1.1 and was trying to get the ldap
configuration in to work. I rather use the java default
cacerts but trying to set idp.authn.LDAP.sslConfig=jvmTrust has been making
the software kinda go haywire.

if I set idp.authn.LDAP.sslConfig=jvmTrust without having configured the
resolver for ldap it seems to start up and work but when trying to reload a
configuration element with  bin/ -id xxxx it would start
to fail and I would get the error:

[/opt/app/shibboleth/shibboleth-idp/credentials/ldap-server.crt] cannot be
resolved to absolute file path - web application archive not expanded?

I thought I should just comment out the "idp.authn.LDAP.trustCertificates"
and "idp.authn.LDAP.trustStore" elements but then the server wouldn't start

Could not resolve placeholder 'idp.authn.LDAP.trustCertificates' in string
value "%{idp.authn.LDAP.trustCertificates}"

Putting the certificate definition back into place I started using the ldap
version of the attribute-resolver.xml then it would not start again saying
it could not find the ldap-server.crt like the first error

I finally just made a copy of the ldap certificate in ldap-server.crt and
went back to idp.authn.LDAP.sslConfig = certificateTrust and finally
everything quieted down. However we use real certificates in our ldap
server so there is no reason for us to need to keep a copy around. Am I
missing something here?

Jeffrey <jeffreyc at>

Both pilots and IT professionals require training and currency before
charging into clouds!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list