Active Directory traffic not encrypted

Peter Schober peter.schober at
Sat Sep 15 05:42:47 EDT 2018

* Rochford, Mike <MRochford at STARKSTATE.EDU> [2018-09-14 16:58]: 
> I’ve figured this out.  There was a setting in the dataconnecter
> used in the attribute-resolver.xml file that was using
> useStartTLS=true.

The default (example) attribute-resolver.xml as shipped by the project
does not contain any LDAP connections at all. The (not active)
examples attribute-resolver-ldap.xml and attribute-resolver-full.xml
do, but they includes the following line:


Meaning startTLS would only be true IFF the referenced property was
undefined. And in the default file that property is
pre-defined to re-use the value from the propery

So if you set idp.authn.LDAP.useStartTLS=false in then
idp.attribute.resolver.LDAP.useStartTLS would also be false and the
LDAP DataConnector you mentioned above wouldn't try to startTLS.

I guess all that means is that we're back to what Daniel said, because
with the two files posted that shouldn't happen.

Maybe you commented out idp.authn.LDAP.useStartTLS at some point
(which would default it to true) when configuring an ldaps:// URL, or
something like that?  Also remember that property file changes require
a restart of the servlet container.


More information about the users mailing list