>> , is it possible to retrieve attributes without any TLS/SSL configuration? > If your LDAP DSA allows that, the IDP certainly won't force you to > protect the transport to the DSA Specifically, that's what idp.attribute.resolver.LDAP.useStartTLS (which default to idp.authn.LDAP.useStartTLS which defaults to true) is for. /Rod