Samba Administration Guide - Troubleshooting

The most common error when configuring TLS, as I have already mentioned numerous times, is that the Common Name (CN) you entered in the section called “Generating the Server Certificate” is NOT the Fully Qualified Domain Name (FQDN) of your ldap server.

Other errors could be that you have a typo somewhere in your ldapsearch command, or that your have the wrong permissions on the servercrt.pem and cacert.pem files. They should be set with chmod 640 , as per the section called “Installing the Certificates”.

For anything else, it's best to read through your ldap logfile or join the OpenLDAP mailing list.

^[8]We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which you pay for, or the free ones, via CAcert

^[9]The downside to making our own CA, is that the certificate is not automatically recognized by clients, like the commercial ones are.

^[10]For information straight from the horse's mouth, please visit https://www.openssl.org/docs/HOWTO/; the main OpenSSL site.

^[11]Your CA.pl or CA.sh might not be in the same location as mine is, you can find it by using the locate command, i.e., locate CA.pl . If the command complains about the database being too old, run updatedb as root to update it.

^[12]See man ldapsearch