idp.authn.LDAP.sslConfig set to jvmTrust odity

Jeffrey Crawford jeffreyc at
Thu May 14 19:08:45 EDT 2015

Sorry for the delayed response but I needed to get a parallel setup going
with the Shib v3.

I'm not quite sure I understand though. I thought setting
idp.authn.LDAP.sslConfig = jvmTrust means we don't need to load a trust
certificate or keystore file as we a are using the java default trust
store. However If I comment out idp.authn.LDAP.trustCertificates the
resolver wont start because it's is not set to anything. Should we not need
set that attribute if we are using jvmTrust?

for example I "thought" the following would be a valid config:
idp.authn.LDAP.sslConfig = jvmTrust
#idp.authn.LDAP.trustCertificates = /no/file/needed
#idp.authn.LDAP.trustStore = /no/file/needed

I may just be misunderstanding jvmTrust. In essence we want to rely on
java's own trust store because we use "real" certificates from Komo and we
don't want to have to remember to reset the ldap certificate file when the
ldap cert is replaced.

Jeffrey E. Crawford
ITS Application Administrator (IdM)
jeffreyc at

Both pilots and IT professionals require training and currency before
charging into clouds!

On Mon, May 11, 2015 at 11:08 AM, Cantor, Scott <cantor.2 at> wrote:

> On 5/11/15, 1:57 PM, "Cantor, Scott" <cantor.2 at> wrote:
> >On 5/11/15, 1:09 PM, "Jeffrey Crawford" <jeffreyc at> wrote:
> >
> >>The first scenario is sort of hit or miss so let me figure that one out,
> but the second issue trying to use the resolver is pretty consistent:
> >>
> >>In
> >>idp.authn.LDAP.sslConfig                        = jvmTrust
> >>idp.authn.LDAP.trustCertificates                =
> %{idp.home}/credentials/ldap-server.crt
> >>
> >>However ldap-server.crt file doesn't exist:, then excecute:
> >>shibboleth-idp/bin/ -id
> shibboleth.AttributeResolverService
> >
> >That should happen on start up anyway, it shouldn't take a reload.
> I just tested with a resolver connector using that property with the
> property set to a non-existent file, and the IdP starts but with a failed
> resolver service, no reload involved.
> If you want to fail outright, change the failFast property on that service.
> It's behaving as designed as far as I can see, modulo the question of
> whether we can accomodate comment it out, which is much harder.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list