Custom aggregate LDAPAuthnConfiguration help

Grant Byers Grant.Byers at
Tue Jun 29 07:08:17 UTC 2021


We're going through the Shibboleth 3 to 4 upgrade process. In our old Shibboleth, we used a custom LDAP authentictator with a connection pool setup to perform
base DN aggregation. Unfortunately, our AD doesn't have a well defined single OU for which to query users, so we need this aggregation (user could be in either

So for this reason, we've pulled across our Shibboleth 3 conf/authn/ldap-authn-config.xml, but I am stumped on how to correctly configure SSL/StartTLS
certificate validation. The relevant spring config looks like this;

    <!-- Connection Configuration -->
    <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true"                                                                          
        p:sslConfig-ref="sslConfig" />

    <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />

    <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
        <property name="credentialConfig">
            <bean parent="shibboleth.X509ResourceCredentialConfig"
                p:trustCertificates="%{idp.authn.LDAP.trustCertificates}" />                                                    

idp.authn.LDAP.trustCertificates is configured to point to the root CA. The AD servers present the server cert & rest of the intermediate CAs.

Now, when I attempt to login, I get the following exception;

org.ldaptive.provider.ConnectionException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server
ldapserver.example:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to
server ldapserver.example/ipaddr:636:  SSLHandshakeException(PKIX path validation failed: Algorithm constraints
check failed on keysize limits: RSA 1024 bit key used with certificate: ), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))')       
        at org.ldaptive.provider.unboundid.UnboundIDConnectionFactory.createInternal(   

But I'm completely baffled as to where this 1024 bit key is coming from. All certs in the chain, including the server cert, intermediates and the root
(idp.authn.LDAP.trustCertificates) have a RSA public key size of 2048 bit. I'm clearly doing something wrong here, i'm just not sure what.

Can anyone tell me what I'm missing? Also happy to be told this can be done in 4 without having to resort to custom spring, but haven't seen a way to do that in
the wiki.


More information about the users mailing list