FlowExecutionException - ldap-server.crt

Joshua Hunter joshua at dwdev.com
Wed Nov 25 17:51:32 UTC 2020 

I am trying to add SAML support to our product. In order to do that I need a working SP/IdP running locally that I can use when developing. The plan is to install Shibboleth SP v3 with Apache 2.4 and Shibboleth IdP v4 on my Windows 10 machine. The IdP would then use either ApacheDS or our live AD for authentication.  I have everything installed, but not configured correctly.

I access my 'secure' test page and am redirected to the IdP which displays the error text:
Web Login Service - Error
An error occurred: FlowExecutionException

The idp-process and idp-warn logs show this error message:
----------------------------------------------------------------------------------------
2020-11-25 09:28:36,263 - fe80:0:0:0:b44a:cf04:d3df:4917%9 - ERROR [org.springframework.webflow.execution.FlowExecutionException:74] -
org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'CallAuthenticationFlow' of flow 'authn'
                at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.authn.Password.Validators': Cannot resolve reference to bean 'shibboleth.LDAPValidator' while setting bean property 'sourceList' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'ValidateUsernamePasswordAgainstLDAP' defined in file [C:\Program Files (x86)\Shibboleth\IdP\system\flows\authn\password-authn-beans.xml]: Cannot resolve reference to bean 'shibboleth.authn.LDAP.authenticator' while setting bean property 'authenticator'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.authn.LDAP.authenticator' defined in file [C:\Program Files (x86)\Shibboleth\IdP\conf\authn\ldap-authn-config.xml]: Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: java.security.GeneralSecurityException: java.io.FileNotFoundException: ServletContext resource [/C:/Program Files (x86)/Shibboleth/IdP/credentials/ldap-server.crt] cannot be resolved to absolute file path - web application archive not expanded?
                at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:342)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'ValidateUsernamePasswordAgainstLDAP' defined in file [C:\Program Files (x86)\Shibboleth\IdP\system\flows\authn\password-authn-beans.xml]: Cannot resolve reference to bean 'shibboleth.authn.LDAP.authenticator' while setting bean property 'authenticator'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.authn.LDAP.authenticator' defined in file [C:\Program Files (x86)\Shibboleth\IdP\conf\authn\ldap-authn-config.xml]: Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: java.security.GeneralSecurityException: java.io.FileNotFoundException: ServletContext resource [/C:/Program Files (x86)/Shibboleth/IdP/credentials/ldap-server.crt] cannot be resolved to absolute file path - web application archive not expanded?
                at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:342)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.authn.LDAP.authenticator' defined in file [C:\Program Files (x86)\Shibboleth\IdP\conf\authn\ldap-authn-config.xml]: Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: java.security.GeneralSecurityException: java.io.FileNotFoundException: ServletContext resource [/C:/Program Files (x86)/Shibboleth/IdP/credentials/ldap-server.crt] cannot be resolved to absolute file path - web application archive not expanded?
                at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1796)
Caused by: java.lang.IllegalArgumentException: java.security.GeneralSecurityException: java.io.FileNotFoundException: ServletContext resource [/C:/Program Files (x86)/Shibboleth/IdP/credentials/ldap-server.crt] cannot be resolved to absolute file path - web application archive not expanded?
                at org.ldaptive.provider.unboundid.UnboundIDProvider.getConnectionFactory(UnboundIDProvider.java:51)
Caused by: java.security.GeneralSecurityException: java.io.FileNotFoundException: ServletContext resource [/C:/Program Files (x86)/Shibboleth/IdP/credentials/ldap-server.crt] cannot be resolved to absolute file path - web application archive not expanded?
                at net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig.createSSLContextInitializer(X509ResourceCredentialConfig.java:107)
Caused by: java.io.FileNotFoundException: ServletContext resource [/C:/Program Files (x86)/Shibboleth/IdP/credentials/ldap-server.crt] cannot be resolved to absolute file path - web application archive not expanded?
                at org.springframework.web.util.WebUtils.getRealPath(WebUtils.java:344)
----------------------------------------------------------------------------------------

The gist of which seems to be that it can't find "/C:/Program Files (x86)/Shibboleth/IdP/credentials/ldap-server.crt". Which is fair enough since it doesn't exist.

Is it possible to use LDAP without a certificate?

This chunk of IdP/conf/ldap.properties looks like this:
----------------------------------------------------------------------------------------
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
#idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates=%{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore
----------------------------------------------------------------------------------------

If I comment out the .trustCertificates and .trustStore I get the same error, but the path it can't find is [/undefined].

My ldap connection string starts with ldap:// and not ldaps://.

I have the same issue whether I'm setup for AD or for generic LDAP.

Any ideas or other info I can send?

Thanks,
Joshua


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201125/fc4fd879/attachment.htm>

More information about the users mailing list