idp.authn.LDAP.sslConfig set to jvmTrust odity
Jeffrey Crawford
jeffreyc at ucsc.edu
Fri May 8 22:20:50 EDT 2015
I'm been playing around with IdP v 3.1.1 and was trying to get the ldap
configuration in ldap.properties to work. I rather use the java default
cacerts but trying to set idp.authn.LDAP.sslConfig=jvmTrust has been making
the software kinda go haywire.
if I set idp.authn.LDAP.sslConfig=jvmTrust without having configured the
resolver for ldap it seems to start up and work but when trying to reload a
configuration element with bin/reload-service.sh -id xxxx it would start
to fail and I would get the error:
[/opt/app/shibboleth/shibboleth-idp/credentials/ldap-server.crt] cannot be
resolved to absolute file path - web application archive not expanded?
I thought I should just comment out the "idp.authn.LDAP.trustCertificates"
and "idp.authn.LDAP.trustStore" elements but then the server wouldn't start
with:
Could not resolve placeholder 'idp.authn.LDAP.trustCertificates' in string
value "%{idp.authn.LDAP.trustCertificates}"
Putting the certificate definition back into place I started using the ldap
version of the attribute-resolver.xml then it would not start again saying
it could not find the ldap-server.crt like the first error
I finally just made a copy of the ldap certificate in ldap-server.crt and
went back to idp.authn.LDAP.sslConfig = certificateTrust and finally
everything quieted down. However we use real certificates in our ldap
server so there is no reason for us to need to keep a copy around. Am I
missing something here?
Jeffrey <jeffreyc at ucsc.edu>
Both pilots and IT professionals require training and currency before
charging into clouds!
---------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150508/0aae8a94/attachment.html>
More information about the users
mailing list