IDPv3 Attribute Resolver help

Tim Williams tmw at autotrain.org
Tue Nov 8 09:13:17 EST 2016


I just saw this message, after sending my last message. I'll give this a
go and report back. Thanks!

Tim W

On 08/11/16 13:50, Cantor, Scott wrote:
> On 11/8/16 7:05 AM, Tim Williams wrote:
>>
>> eg, the document:
>>
>> https://wiki.shibboleth.net/confluence/display/IDP30/StartTLSAuthenticationCredential
>>
>> Only tells me how to configure a certificate file I already have so that
>> Shibboleth can use it, but it doesn't tell me what I have to do at the
>> AD end to obtain/configure the certificate so that AD knows about it as
>> well.
> 
> That's for TLS authentication *to* AD, not the way to configure the IdP
> to trust the AD's cert, but it appears you don't have TLS here anyway.
> 
>> Hmm, I originally had DEBUG logging turned on and I was advised in an
>> earlier reply on this list to turn it off because it was too noisy and
>> didn't provide much useful information for non-developers.
> 
> That depends on what the issue is.
> 
>> Both are set to false and I'm using ldap:// in the URL, but I'm still
>> getting a fail when the LDAP resolver is set up telling me the
>> certificate path is invalid:
> 
> If you leave the properties set up to rely on a provided certificate for
> trust, and don't provide one, it fails. If you want ldap:// and there is
> no certificate, set the idp.authn.LDAP.sslConfig property to jvmTrust, I
> think, that should bypass the need to give it anything, at least for
> authentication.
> 
> On the attribute resolver side, you should just be able to *not* provide
> any trust material in the LDAP connector.
> 
> -- Scott
> 


-- 
Tim Williams BSc MSc MBCS
AutoTrain
58 Jacoby Place
Priory Road
Edgbaston
Birmingham
B5 7UW
United Kingdom

Web : http://www.autotrain.org, http://www.utrain.info
Tel : +44 (0)844 487 4117

AutoTrain is a trading name of EuroMotor-AutoTrain LLP
Registered in the United Kingdom, number: OC317070.


More information about the users mailing list