FlowExecutionException - ldap-server.crt

Joshua Hunter joshua at dwdev.com
Wed Nov 25 20:49:57 UTC 2020

Thank you! Setting the useStartTLS to false explicitly fixed the problem. Now I'm able to get to the login screen, contact AD, and then get a new error. I'll start another thread for that one if I can't figure it out.

Thanks again,

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Wednesday, November 25, 2020 10:30 AM
To: users at shibboleth.net
Subject: Re: FlowExecutionException - ldap-server.crt

* Joshua Hunter <joshua at dwdev.com> [2020-11-25 18:52]:
> I am trying to add SAML support to our product. In order to do that I 
> need a working SP/IdP running locally that I can use when developing. 
> The plan is to install Shibboleth SP v3 with Apache 2.4 and Shibboleth 
> IdP v4 on my Windows 10 machine. The IdP would then use either 
> ApacheDS or our live AD for authentication.  I have everything 
> installed, but not configured correctly.

You might have an easier time testing each part against e.g. samltest.id (i.e,, a known-good counterpart) instead of staring from scratch with everyhting. Just an idea.

> The gist of which seems to be that it can't find "/C:/Program Files 
> (x86)/Shibboleth/IdP/credentials/ldap-server.crt". Which is fair 
> enough since it doesn't exist.
> Is it possible to use LDAP without a certificate?


> This chunk of IdP/conf/ldap.properties looks like this:
> ----------------------------------------------------------------------
> ------------------ ## SSL configuration, either jvmTrust, 
> certificateTrust, or keyStoreTrust
> #idp.authn.LDAP.sslConfig                       = certificateTrust
> ## If using certificateTrust above, set to the trusted certificate's 
> path 
> idp.authn.LDAP.trustCertificates=%{idp.home}/credentials/ldap-server.c
> rt ## If using keyStoreTrust above, set to the truststore path 
> idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststo
> re
> ----------------------------------------------------------------------
> ------------------
> If I comment out the .trustCertificates and .trustStore I get the same 
> error, but the path it can't find is [/undefined].

With idp.authn.LDAP.useStartTLS and idp.authn.LDAP.useSSL set to false and idp.authn.LDAP.ldapURL starting with ldap:// (as you say it does in your case) this should work fine. I.e., the value of idp.authn.LDAP.trustCertificates or the fact that the referenced file does not exist shouldn't matter.

Also make sure the LDAP DataConnector you may have copied (or will be
copying) from conf/attribute-resolver-ldap.xml does not contain a 'trustFile' XML attribute, then, as that'll then point to an undefined property or the same nonexistent file.


For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list