summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml584
1 files changed, 284 insertions, 300 deletions
diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml b/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml
index 86e2845037..2fa4423d37 100644
--- a/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml
+++ b/docs/Samba-HOWTO-Collection/TOSHARG-SecureLDAP.xml
@@ -1,130 +1,104 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="ch-ldap-tls">
- <title>Transport Layer Security</title>
- <sect1 id="s1-intro-ldap-tls">
- <title>Introduction</title>
- <para>
- <indexterm>
- <primary>Transport Layer Seccurity, TLS</primary>
- <secondary>Introduction</secondary>
- </indexterm>
- Up until now, we have discussed the straight forward configuration of
- <trademark>OpenLDAP</trademark>, with some advanced features such as
- <xref linkend="s1-acls"></xref>. This does not however, deal with the
- fact that the network transmissions are still in plain text. This is
- where <firstterm>Transport Layer Security (TLS)</firstterm> comes in.
- </para>
- <para>
- <trademark>OpenLDAP</trademark> clients and servers are capable of
- using the Transport Layer Security (TLS) framework to provide
- integrity and confidentiality protections in accordance with -
- <ulink url="http://rfc.net/rfc2830.html">RFC2830</ulink>;
- <emphasis>Lightweight Directory Access Protocol (v3): Extension
- for Transport Layer Security</emphasis>
- </para>
- <para>
- TLS uses X.509 certificates. All servers are required to have valid
- certificates, whereas client certificates are optional. We will only
- be discussing server certificates.
- <tip>
- <para>
- The DN of a server certificate must use the CN attribute to name the
- server, and the CN must carry the server's fully qualified domain name
- (FQDN). Additional alias names and wildcards may be present in the
- <option>subjectAltName</option> certificate extension. More details on
- server certificate names are in
- <ulink url="http://rfc.net/rfc2830.html">RFC2830</ulink>.
- </para>
- </tip>
- </para>
- <para>
+<title>Transport Layer Security</title>
+
+<sect1 id="s1-intro-ldap-tls">
+<title>Introduction</title>
+
+ <para>
+ <indexterm><primary>Transport Layer Seccurity, TLS</primary><secondary>Introduction</secondary></indexterm>
+ Up until now, we have discussed the straight forward configuration of <trademark>OpenLDAP</trademark>,
+ with some advanced features such as ACLs. This does not however, deal with the fact that the network
+ transmissions are still in plain text. This is where <firstterm>Transport Layer Security (TLS)</firstterm>
+ comes in.
+ </para>
+
+ <para>
+ <trademark>OpenLDAP</trademark> clients and servers are capable of using the Transport Layer Security (TLS)
+ framework to provide integrity and confidentiality protections in accordance with - <ulink
+ url="http://rfc.net/rfc2830.html">RFC2830</ulink>; <emphasis>Lightweight Directory Access Protocol (v3):
+ Extension for Transport Layer Security.</emphasis>
+ </para>
+
+ <para>
+ TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates
+ are optional. We will only be discussing server certificates.
+ </para>
+
+ <tip><para>
+ The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the
+ server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the
+ <option>subjectAltName</option> certificate extension. More details on server certificate names are in <ulink
+ url="http://rfc.net/rfc2830.html">RFC2830</ulink>.
+ </para></tip>
+
+ <para>
We will discuss this more in the next sections.
- </para>
- </sect1>
-
- <sect1 id="s1-config-ldap-tls">
- <title>Configuring</title>
- <para>
- <indexterm>
- <primary>Transport Layer Seccurity, TLS</primary>
- <secondary>Configuring</secondary>
- </indexterm>
+ </para>
+
+ </sect1>
+
+ <sect1 id="s1-config-ldap-tls">
+ <title>Configuring</title>
+
+ <para>
+ <indexterm><primary>Transport Layer Seccurity, TLS</primary><secondary>Configuring</secondary></indexterm>
Now on to the good bit.
- </para>
-
- <sect2 id="s1-config-ldap-tls-certs">
+ </para>
+
+ <sect2 id="s1-config-ldap-tls-certs">
<title>Generating the Certificate Authority</title>
- <para>
- In order to create the relevant certificates, we need to become our own
- Certificate Authority (CA).
- <footnote>
- <para>
- We could however, get our generated server certificate signed by proper CAs,
- like <ulink url="http://www.thawte.com/">Thawte</ulink> and
- <ulink url="http://www.verisign.com/">VeriSign</ulink>, which you pay for,
- or the free ones, via <ulink url="http://www.cacert.org/">CAcert</ulink>
- </para>
- </footnote>
- This is necessary, so we can sign the server certificate.
- </para>
- <para>
- We will be using the <ulink url="http://www.openssl.org">OpenSSL</ulink>
- <footnote>
- <para>
- The downside to making our own CA, is that the certificate is not automatically
- recognised by clients, like the commercial ones are.
- </para>
- </footnote>
- software for this, which is included with every great
- <trademark class="registered">Linux</trademark> distribution.
- </para>
- <para>
- TLS is used for many types of servers, but the instructions
- <footnote>
- <para>
- For information straight from the horses mouth, please visit -
- <ulink url="http://www.openssl.org/docs/HOWTO/">
- ttp://www.openssl.org/docs/HOWTO/</ulink>; the main OpenSSL site.
- </para>
- </footnote>
- presented here, are tailored for &OL;.
- <note>
- <para>
- The <emphasis>Common Name (CN)</emphasis>, if the following example,
- <emphasis>MUST</emphasis> be the fully qualified domain name (fqdn)
- of your ldap server.
- </para>
- </note>
- </para>
+
+ <para>
+ In order to create the relevant certificates, we need to become our own Certificate Authority (CA).
+ <footnote><para>We could however, get our generated server certificate signed by proper CAs, like <ulink
+ url="http://www.thawte.com/">Thawte</ulink> and <ulink url="http://www.verisign.com/">VeriSign</ulink>, which
+ you pay for, or the free ones, via <ulink url="http://www.cacert.org/">CAcert</ulink>
+ </para></footnote> This is necessary, so we can sign the server certificate.
+ </para>
+
+ <para>
+ We will be using the <ulink url="http://www.openssl.org">OpenSSL</ulink> <footnote><para>The downside to
+ making our own CA, is that the certificate is not automatically recognised by clients, like the commercial
+ ones are.</para></footnote> software for this, which is included with every great <trademark
+ class="registered">Linux</trademark> distribution.
+ </para>
+
+ <para>
+ TLS is used for many types of servers, but the instructions<footnote><para>For information straight from the
+ horses mouth, please visit - <ulink
+ url="http://www.openssl.org/docs/HOWTO/">http://www.openssl.org/docs/HOWTO/</ulink>; the main OpenSSL
+ site.</para></footnote> presented here, are tailored for &OL;.
+ </para>
+
+ <note><para>
+ The <emphasis>Common Name (CN)</emphasis>, if the following example, <emphasis>MUST</emphasis> be
+ the fully qualified domain name (fqdn) of your ldap server.
+ </para></note>
+
<para>
- First we need to generate the CA:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec ldap-docs]$ mkdir myCA
- </computeroutput>
- </screen>
- Move into that directory:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec ldap-docs]$ cd myCA
- </computeroutput>
- </screen>
- Now generate the CA:
- <footnote>
- <para>
- Your <filename>CA.pl</filename> or <filename>CA.sh</filename> might
- not be in the same location as mine is, you can find it by using the
- <command>locate</command> command, i.e. <command>locate CA.pl</command>.
- If the command complains about the database being too old, run
- <command>updatedb</command> as <emphasis>root</emphasis> to update it.
- </para>
- </footnote>
- <screen width="90">
- <computeroutput>
-[ghenry@suretec myCA]$ /usr/share/ssl/misc/CA.pl -newca
+ First we need to generate the CA:
+<screen width="90">
+<computeroutput>
+&rootprompt; mkdir myCA
+</computeroutput>
+</screen>
+ Move into that directory:
+<screen width="90">
+<computeroutput>
+&rootprompt; cd myCA
+</computeroutput>
+</screen>
+ Now generate the CA:<footnote><para>Your <filename>CA.pl</filename> or <filename>CA.sh</filename> might not be
+ in the same location as mine is, you can find it by using the <command>locate</command> command, i.e.
+ <command>locate CA.pl</command>. If the command complains about the database being too old, run
+ <command>updatedb</command> as <emphasis>root</emphasis> to update it.</para></footnote>
+<screen width="90">
+<computeroutput>
+&rootprompt; /usr/share/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
-
+
Making CA certificate ...
Generating a 1024 bit RSA private key
.......................++++++
@@ -140,42 +114,47 @@ There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
-Country Name (2 letter code) [AU]:GB
-State or Province Name (full name) [Some-State]:Aberdeenshire
-Locality Name (eg, city) []:Aberdeen
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suretec Systems Ltd.
+Country Name (2 letter code) [AU]:AU
+State or Province Name (full name) [Some-State]:NSW
+Locality Name (eg, city) []:Sydney
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas
Organizational Unit Name (eg, section) []:IT
-Common Name (eg, YOUR name) []:ldap.suretecsystems.com
-Email Address []:support@suretecsystems.com
- </computeroutput>
- </screen>
+Common Name (eg, YOUR name) []:ldap.abmas.biz
+Email Address []:support@abmas.biz
+</computeroutput>
+</screen>
</para>
+
<para>
- Now, there are some things to note here.
- <orderedlist>
- <listitem>
- <para>
- You <emphasis>MUST</emphasis> remember the password, as we will need
- it to sign the server certificate..
- </para>
- </listitem>
- <listitem>
- <para>
- The <emphasis>Common Name (CN)</emphasis>, <emphasis>MUST</emphasis> be the
- fully qualified domain name (fqdn) of your ldap server.
- </para>
- </listitem>
- </orderedlist>
+ Now, there are some things to note here.
</para>
- </sect2>
- <sect2 id="s1-config-ldap-tls-server">
+ <orderedlist>
+ <listitem>
+ <para>
+ You <emphasis>MUST</emphasis> remember the password, as we will need
+ it to sign the server certificate..
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <emphasis>Common Name (CN)</emphasis>, <emphasis>MUST</emphasis> be the
+ fully qualified domain name (fqdn) of your ldap server.
+ </para>
+ </listitem>
+ </orderedlist>
+
+ </sect2>
+
+ <sect2 id="s1-config-ldap-tls-server">
<title>Generating the Server Certificate</title>
+
<para>
- Now we need to generate the server certificate:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec myCA]$ openssl req -new -nodes -keyout newreq.pem -out newreq.pem
+ Now we need to generate the server certificate:
+<screen width="90">
+<computeroutput>
+&rootprompt; openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.............++++++
........................................................++++++
@@ -188,72 +167,76 @@ There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
-Country Name (2 letter code) [AU]:GB
-State or Province Name (full name) [Some-State]:Aberdeenshire
-Locality Name (eg, city) []:Aberdeen
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suretec Systems Ltd.
+Country Name (2 letter code) [AU]:AU
+State or Province Name (full name) [Some-State]:NSW
+Locality Name (eg, city) []:Sydney
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas
Organizational Unit Name (eg, section) []:IT
-Common Name (eg, YOUR name) []:ldap.suretecsystems.com
-Email Address []:support@suretecsystems.com
-
+Common Name (eg, YOUR name) []:ldap.abmas.biz
+Email Address []:support@abmas.biz
+
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- </computeroutput>
- </screen>
+</computeroutput>
+</screen>
</para>
+
<para>
- Again, there are some things to note here.
- <orderedlist>
- <listitem>
- <para>
- You should <emphasis>NOT</emphasis> enter a password.
- </para>
- </listitem>
- <listitem>
- <para>
- The <emphasis>Common Name (CN)</emphasis>, <emphasis>MUST</emphasis> be
- the fully qualified domain name (fqdn) of your ldap server.
- </para>
- </listitem>
- </orderedlist>
+ Again, there are some things to note here.
</para>
+
+ <orderedlist>
+ <listitem>
+ <para>
+ You should <emphasis>NOT</emphasis> enter a password.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ The <emphasis>Common Name (CN)</emphasis>, <emphasis>MUST</emphasis> be
+ the fully qualified domain name (fqdn) of your ldap server.
+ </para>
+ </listitem>
+ </orderedlist>
+
<para>
- Now, we sign the certificate with the new CA:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec myCA]$ /usr/share/ssl/misc/CA.pl -sign
+ Now, we sign the certificate with the new CA:
+<screen width="90">
+<computeroutput>
+&rootprompt; /usr/share/ssl/misc/CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Mar 6 18:22:26 2005 GMT
- Not After : Mar 6 18:22:26 2006 GMT
- Subject:
- countryName = GB
- stateOrProvinceName = Aberdeenshire
- localityName = Aberdeen
- organizationName = Suretec Systems Ltd.
- organizationalUnitName = IT
- commonName = ldap.suretecsystems.com
- emailAddress = support@suretecsystems.com
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE
- X509v3 Authority Key Identifier:
- keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC
- DirName:/C=GB/ST=Aberdeenshire/L=Aberdeen/O=Suretec Systems Ltd./OU=IT/CN=ldap.suretecsystems.com/emailAddress=support@suretecsystems.com
- serial:00
-
-Certificate is to be certified until Mar 6 18:22:26 2006 GMT (365 days)
+Serial Number: 1 (0x1)
+Validity
+ Not Before: Mar 6 18:22:26 2005 EDT
+ Not After : Mar 6 18:22:26 2006 EDT
+Subject:
+ countryName = AU
+ stateOrProvinceName = NSW
+ localityName = Sydney
+ organizationName = Abmas
+ organizationalUnitName = IT
+ commonName = ldap.abmas.biz
+ emailAddress = support@abmas.biz
+X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE
+ X509v3 Authority Key Identifier:
+ keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC
+ DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/CN=ldap.abmas.biz/emailAddress=support@abmas.biz
+ serial:00
+
+Certificate is to be certified until Mar 6 18:22:26 2006 EDT (365 days)
Sign the certificate? [y/n]:y
@@ -261,89 +244,90 @@ Sign the certificate? [y/n]:y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
- </computeroutput>
- </screen>
+</computeroutput>
+</screen>
</para>
+
<para>
- That completes the server certificate generation.
+ That completes the server certificate generation.
</para>
- </sect2>
- <sect2 id="s1-config-ldap-tls-install">
+
+ </sect2>
+
+ <sect2 id="s1-config-ldap-tls-install">
<title>Installing the Certificates</title>
+
<para>
- Now we need to copy the certificates to the right configuration directories,
- rename them at the same time for convenience, change the ownership and
- finally the permissions:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec myCA]$ cp demoCA/cacert.pem /etc/openldap/
-[ghenry@suretec myCA]$ cp newcert.pem /etc/openldap/servercrt.pem
-[ghenry@suretec myCA]$ cp newreq.pem /etc/openldap/serverkey.pem
-[ghenry@suretec myCA]$ chown ldap.ldap /etc/openldap/*.pem
-[ghenry@suretec myCA]$ chmod 640 /etc/openldap/cacert.pem; chmod 600 /etc/openldap/serverkey.pem
- </computeroutput>
- </screen>
- </para>
- <para>
- Now we just need to add these locations to <filename>slapd.conf</filename>,
- anywhere before the <option>database</option> declaration and <filename>ldap.conf</filename>:
+ Now we need to copy the certificates to the right configuration directories,
+ rename them at the same time for convenience, change the ownership and
+ finally the permissions:
+<screen width="90">
+<computeroutput>
+&rootprompt; cp demoCA/cacert.pem /etc/openldap/
+&rootprompt; cp newcert.pem /etc/openldap/servercrt.pem
+&rootprompt; cp newreq.pem /etc/openldap/serverkey.pem
+&rootprompt; chown ldap.ldap /etc/openldap/*.pem
+&rootprompt; chmod 640 /etc/openldap/cacert.pem; chmod 600 /etc/openldap/serverkey.pem
+</computeroutput>
+</screen>
</para>
+
<para>
- <filename>slapd.conf</filename>
- <screen width="90">
- <computeroutput>
+ Now we just need to add these locations to <filename>slapd.conf</filename>,
+ anywhere before the <option>database</option> declaration as shown here:
+<screen width="90">
+<computeroutput>
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSCACertificateFile /etc/openldap/cacert.pem
- </computeroutput>
- </screen>
+</computeroutput>
+</screen>
</para>
+
<para>
- <filename>ldap.conf</filename>
- <screen width="90">
- <computeroutput>
+ Here is the declaration and <filename>ldap.conf</filename>:
+<filename>ldap.conf</filename>
+<screen width="90">
+<computeroutput>
TLS_CACERT /etc/openldap/cacert.pem
- </computeroutput>
- </screen>
+</computeroutput>
+</screen>
</para>
+
<para>
- That's all there is to it. Now on to <xref linkend="s1-test-ldap-tls"></xref>
+ That's all there is to it. Now on to <xref linkend="s1-test-ldap-tls"></xref>
</para>
- </sect2>
- </sect1>
-
- <sect1 id="s1-test-ldap-tls">
- <title>Testing</title>
- <para>
- <indexterm>
- <primary>Transport Layer Seccurity, TLS</primary>
- <secondary>Testing</secondary>
- </indexterm>
- This is the easy part. Restart the server:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec myCA]$ /etc/init.d/ldap restart
+
+ </sect2>
+
+</sect1>
+
+<sect1 id="s1-test-ldap-tls">
+<title>Testing</title>
+
+<para>
+<indexterm><primary>Transport Layer Seccurity, TLS</primary><secondary>Testing</secondary></indexterm>
+This is the easy part. Restart the server:
+<screen width="90">
+<computeroutput>
+&rootprompt; /etc/init.d/ldap restart
Stopping slapd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
Starting slapd: [ OK ]
- </computeroutput>
- </screen>
- Then, using <command>ldapsearch</command>, test an anonymous search with the <option>-ZZ</option>
- <footnote>
- <para>
- See <command>man ldapsearch</command>:
- </para>
- </footnote>
- option:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec myCA]$ ldapsearch -x -b "dc=ldap,dc=suretecsystems,dc=com" -H 'ldap://ldap.suretecsystems.com:389' -ZZ
- </computeroutput>
- </screen>
+</computeroutput>
+</screen>
+ Then, using <command>ldapsearch</command>, test an anonymous search with the
+ <option>-ZZ</option><footnote><para>See <command>man ldapsearch</command></para></footnote> option:
+<screen width="90">
+<computeroutput>
+&rootprompt; ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" -H 'ldap://ldap.abmas.biz:389' -ZZ
+</computeroutput>
+</screen>
Your results should be the same as before you restarted the server, for example:
- <screen width="90">
- <computeroutput>
-[ghenry@suretec myCA]$ ldapsearch -x -b "dc=ldap,dc=suretecsystems,dc=com" -H 'ldap://ldap.suretecsystems.com:389' -ZZ
+<screen width="90">
+<computeroutput>
+&rootprompt; ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \
+ -H 'ldap://ldap.abmas.biz:389' -ZZ
# extended LDIF
#
@@ -353,54 +337,54 @@ Starting slapd: [ OK ]
# requesting: ALL
#
-# suretecsystems.com
-dn: dc=ldap,dc=suretecsystems,dc=com
+# abmas.biz
+dn: dc=ldap,dc=abmas,dc=biz
objectClass: dcObject
objectClass: organization
-o: Suretec Systems Ltd.
-dc: suretecsystems
+o: Abmas
+dc: abmas
-# Manager, ldap.suretecsystems.com
-dn: cn=Manager,dc=ldap,dc=suretecsystems,dc=com
+# Manager, ldap.abmas.biz
+dn: cn=Manager,dc=ldap,dc=abmas,dc=biz
objectClass: organizationalRole
cn: Manager
-# SURETEC, suretecsystems.com
-dn: sambaDomainName=SURETEC,dc=ldap,dc=suretecsystems,dc=com
-sambaDomainName: SURETEC
+# ABMAS, abmas.biz
+dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz
+sambaDomainName: ABMAS
sambaSID: S-1-5-21-238355452-1056757430-1592208922
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 67109862
sambaNextGroupRid: 67109863
- </computeroutput>
- </screen>
+</computeroutput>
+</screen>
If you have any problems, please read <xref linkend="s1-int-ldap-tls"></xref>
- </para>
- </sect1>
-
- <sect1 id="s1-int-ldap-tls">
- <title>Troubleshooting</title>
- <para>
- <indexterm>
- <primary>Transport Layer Seccurity, TLS</primary>
- <secondary>Troubleshooting</secondary>
- </indexterm>
- The most common error when configuring TLS, as I have already mentioned
- numerous times, is that the <emphasis>Common Name (CN)</emphasis> you entered
- in <xref linkend="s1-config-ldap-tls-server"></xref> is <emphasis>NOT</emphasis>
- the Full Qualified Domain Name (FQDN) of your ldap server.
- </para>
- <para>Other errors could be that you have a typo somewhere in your
- <command>ldapsearch</command> command, or that your have the wrong
- permissions on the <filename>servercrt.pem</filename> and
- <filename>cacert.pem</filename> files. They should be set with
- <command>chmod 640</command>, as per <xref linkend="s1-config-ldap-tls-install"></xref>.
- </para>
- <para>
- For anything else, it's best to read through your ldap logfile or
- join the &OL; mailing list.
- </para>
- </sect1>
+</para>
+
+</sect1>
+
+<sect1 id="s1-int-ldap-tls">
+<title>Troubleshooting</title>
+
+<para>
+<indexterm><primary>Transport Layer Seccurity, TLS</primary><secondary>Troubleshooting</secondary></indexterm>
+The most common error when configuring TLS, as I have already mentioned numerous times, is that the
+<emphasis>Common Name (CN)</emphasis> you entered in <xref linkend="s1-config-ldap-tls-server"></xref> is
+<emphasis>NOT</emphasis> the Full Qualified Domain Name (FQDN) of your ldap server.
+</para>
+
+<para>
+Other errors could be that you have a typo somewhere in your <command>ldapsearch</command> command, or that
+your have the wrong permissions on the <filename>servercrt.pem</filename> and <filename>cacert.pem</filename>
+files. They should be set with <command>chmod 640</command>, as per <xref
+linkend="s1-config-ldap-tls-install"></xref>.
+</para>
+
+<para>
+For anything else, it's best to read through your ldap logfile or join the &OL; mailing list.
+</para>
+
+</sect1>
</chapter>