...
This section is intended for administrators of the Shibboleth 2 IDP IdP who plan to use more than one LDAP server in the JAAS configuration file ($SHIB_HOME/conf/login.config) and/or in the attribute resolver configuration file ($SHIB_HOME/conf/attribute-resolver.xml).
...
- try to configure more than one LDAP server in login.config and/or attribute-resolver.xml
- restart the IDPIdP
- select a suitable test resource/SP that will show you user attributes
- check if you can authenticate and if you get attributes released. This step is just to verify, that there are no other problems.
...
- replace the first LDAP server in your configuration with a host which is on the net, but no LDAP daemon is running on it
- restart the IDP IdP (remove old cookies from you browser)
- try to authenticate again.
...
The steps below are based on a practical experience with the installation and configuration of the Shibboleth IDP IdP version 2.1.2 in the following environment:
...
in the JNDI application file jndi.properties. This property indicates the caching policy for successful name lookups from the name service. The default value of this property is -1 ("cache forever") for Sun Java JVMs with versions 1.5 and lower, and 0 ("never cache") for Java 30 seconds for version 1.6 if a security manager is not set. If the IP address of any of the LDAP servers changes in the name service, and the sun.net.inetaddr.ttl is -1, then you would need to restart Shibboleth IDP IdP in order to activate this change in the application.