idp.authn.LDAP.sslConfig set to jvmTrust odity
NPTabunakawai
nimcee at gmail.com
Tue May 12 02:45:19 EDT 2015
Hi Scott, I'm facing similar issues with ldap.properties and would like to
ask, is it possible to retrieve attributes without any TLS/SSL
configuration?(and without ldap-server.crt) Or should
idp.authn.LDAP.sslConfig and trustCertificates always be defined?
On Tue, May 12, 2015 at 6:08 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 5/11/15, 1:57 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>
> >On 5/11/15, 1:09 PM, "Jeffrey Crawford" <jeffreyc at ucsc.edu> wrote:
> >
> >>The first scenario is sort of hit or miss so let me figure that one out,
> but the second issue trying to use the resolver is pretty consistent:
> >>
> >>In ldap.properties
> >>idp.authn.LDAP.sslConfig = jvmTrust
> >>idp.authn.LDAP.trustCertificates =
> %{idp.home}/credentials/ldap-server.crt
> >>
> >>However ldap-server.crt file doesn't exist:, then excecute:
> >>shibboleth-idp/bin/reload-service.sh -id
> shibboleth.AttributeResolverService
> >
> >That should happen on start up anyway, it shouldn't take a reload.
>
> I just tested with a resolver connector using that property with the
> property set to a non-existent file, and the IdP starts but with a failed
> resolver service, no reload involved.
>
> If you want to fail outright, change the failFast property on that service.
>
> It's behaving as designed as far as I can see, modulo the question of
> whether we can accomodate comment it out, which is much harder.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150512/51151521/attachment.html>
More information about the users
mailing list