idp.authn.LDAP.sslConfig set to jvmTrust odity

Dave Perry Dave.Perry at
Tue May 12 05:38:41 EDT 2015

I know I’m not Scott, but I had a v3 config working with ssl defined as disabled. That worked fine (barring the SAML1 bit, which is why I carried on tinkering, without taking a snapshot, and broke it – waiting for a support response on what I’ve done to Jetty).


Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at<mailto:elearning at> *

From: users [mailto:users-bounces at] On Behalf Of NPTabunakawai
Sent: 12 May 2015 07:45
To: Shib Users
Subject: Re: idp.authn.LDAP.sslConfig set to jvmTrust odity

Hi Scott, I'm facing similar issues with and would like to ask, is it possible to retrieve attributes without any TLS/SSL configuration?(and without ldap-server.crt) Or should idp.authn.LDAP.sslConfig and trustCertificates always be defined?

On Tue, May 12, 2015 at 6:08 AM, Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:
On 5/11/15, 1:57 PM, "Cantor, Scott" <cantor.2 at<mailto:cantor.2 at>> wrote:

>On 5/11/15, 1:09 PM, "Jeffrey Crawford" <jeffreyc at<mailto:jeffreyc at>> wrote:
>>The first scenario is sort of hit or miss so let me figure that one out, but the second issue trying to use the resolver is pretty consistent:
>>idp.authn.LDAP.sslConfig                        = jvmTrust
>>idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-server.crt
>>However ldap-server.crt file doesn't exist:, then excecute:
>>shibboleth-idp/bin/ -id shibboleth.AttributeResolverService
>That should happen on start up anyway, it shouldn't take a reload.

I just tested with a resolver connector using that property with the property set to a non-existent file, and the IdP starts but with a failed resolver service, no reload involved.

If you want to fail outright, change the failFast property on that service.

It's behaving as designed as far as I can see, modulo the question of whether we can accomodate comment it out, which is much harder.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list