FlowExecutionException - ldap-server.crt

Peter Schober peter.schober at univie.ac.at
Wed Nov 25 18:29:43 UTC 2020 

* Joshua Hunter <joshua at dwdev.com> [2020-11-25 18:52]:
> I am trying to add SAML support to our product. In order to do that
> I need a working SP/IdP running locally that I can use when
> developing. The plan is to install Shibboleth SP v3 with Apache 2.4
> and Shibboleth IdP v4 on my Windows 10 machine. The IdP would then
> use either ApacheDS or our live AD for authentication.  I have
> everything installed, but not configured correctly.

You might have an easier time testing each part against
e.g. samltest.id (i.e,, a known-good counterpart) instead of staring
from scratch with everyhting. Just an idea.

> The gist of which seems to be that it can't find "/C:/Program Files
> (x86)/Shibboleth/IdP/credentials/ldap-server.crt". Which is fair
> enough since it doesn't exist.
> 
> Is it possible to use LDAP without a certificate?

Yes.

> This chunk of IdP/conf/ldap.properties looks like this:
> ----------------------------------------------------------------------------------------
> ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
> #idp.authn.LDAP.sslConfig                       = certificateTrust
> ## If using certificateTrust above, set to the trusted certificate's path
> idp.authn.LDAP.trustCertificates=%{idp.home}/credentials/ldap-server.crt
> ## If using keyStoreTrust above, set to the truststore path
> idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore
> ----------------------------------------------------------------------------------------
> 
> If I comment out the .trustCertificates and .trustStore I get the
> same error, but the path it can't find is [/undefined].

With idp.authn.LDAP.useStartTLS and idp.authn.LDAP.useSSL set to false
and idp.authn.LDAP.ldapURL starting with ldap:// (as you say it does
in your case) this should work fine. I.e., the value of
idp.authn.LDAP.trustCertificates or the fact that the referenced file
does not exist shouldn't matter.

Also make sure the LDAP DataConnector you may have copied (or will be
copying) from conf/attribute-resolver-ldap.xml does not contain a
'trustFile' XML attribute, then, as that'll then point to an undefined
property or the same nonexistent file.

-peter

More information about the users mailing list