idp.authn.LDAP.sslConfig set to jvmTrust odity

Cantor, Scott cantor.2 at
Mon May 11 14:08:24 EDT 2015

On 5/11/15, 1:57 PM, "Cantor, Scott" <cantor.2 at> wrote:

>On 5/11/15, 1:09 PM, "Jeffrey Crawford" <jeffreyc at> wrote:
>>The first scenario is sort of hit or miss so let me figure that one out, but the second issue trying to use the resolver is pretty consistent:
>>idp.authn.LDAP.sslConfig                        = jvmTrust
>>idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-server.crt
>>However ldap-server.crt file doesn't exist:, then excecute:
>>shibboleth-idp/bin/ -id shibboleth.AttributeResolverService
>That should happen on start up anyway, it shouldn't take a reload.

I just tested with a resolver connector using that property with the property set to a non-existent file, and the IdP starts but with a failed resolver service, no reload involved.

If you want to fail outright, change the failFast property on that service.

It's behaving as designed as far as I can see, modulo the question of whether we can accomodate comment it out, which is much harder.

-- Scott

More information about the users mailing list