| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 46. LDAP and Transport Layer Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.5.x HOWTO and Reference Guide"><link rel="up" href="Appendix.html" title="Part VI. Reference Section"><link rel="prev" href="speed.html" title="Chapter 45. Samba Performance Tuning"><link rel="next" href="ch47.html" title="Chapter 47. Samba Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 46. LDAP and Transport Layer Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><th width="60%" align="center">Part VI. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="ch47.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 46. LDAP and Transport Layer Security"><div class="titlepage"><div><div><h2 class="title"><a name="ch-ldap-tls"></a>Chapter 46. LDAP and Transport Layer Security</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gavin</span> <span class="surname">Henry</span></h3><div class="affiliation"><span class="orgname">Suretec Systems Limited, UK<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:ghenry@suretecsystems.com">ghenry@suretecsystems.com</a>></code></p></div></div></div></div><div><p class="pubdate">July 8, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-intro-ldap-tls">Introduction</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-config-ldap-tls">Configuring</a></span></dt><dd><dl><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-certs">Generating the Certificate Authority</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-server">Generating the Server Certificate</a></span></dt><dt><span class="sect2"><a href="ch-ldap-tls.html#s1-config-ldap-tls-install">Installing the Certificates</a></span></dt></dl></dd><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-test-ldap-tls">Testing</a></span></dt><dt><span class="sect1"><a href="ch-ldap-tls.html#s1-int-ldap-tls">Troubleshooting</a></span></dt></dl></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-intro-ldap-tls"></a>Introduction</h2></div></div></div><p> | 
|---|
| 2 | <a class="indexterm" name="id451018"></a> | 
|---|
| 3 | <a class="indexterm" name="id451027"></a> | 
|---|
| 4 | Up until now, we have discussed the straightforward configuration of <span class="trademark">OpenLDAP</span>™, | 
|---|
| 5 | with some advanced features such as ACLs. This does not however, deal with the fact that the network | 
|---|
| 6 | transmissions are still in plain text. This is where <em class="firstterm">Transport Layer Security (TLS)</em> | 
|---|
| 7 | comes in. | 
|---|
| 8 | </p><p> | 
|---|
| 9 | <a class="indexterm" name="id451048"></a> | 
|---|
| 10 | <span class="trademark">OpenLDAP</span>™ clients and servers are capable of using the Transport Layer Security (TLS) | 
|---|
| 11 | framework to provide integrity and confidentiality protections in accordance with <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC 2830</a>; <span class="emphasis"><em>Lightweight Directory Access Protocol (v3): | 
|---|
| 12 | Extension for Transport Layer Security.</em></span> | 
|---|
| 13 | </p><p> | 
|---|
| 14 | <a class="indexterm" name="id451076"></a> | 
|---|
| 15 | TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates | 
|---|
| 16 | are optional. We will only be discussing server certificates. | 
|---|
| 17 | </p><div class="tip" title="Tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p> | 
|---|
| 18 | <a class="indexterm" name="id451088"></a> | 
|---|
| 19 | <a class="indexterm" name="id451095"></a> | 
|---|
| 20 | <a class="indexterm" name="id451101"></a> | 
|---|
| 21 | The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the | 
|---|
| 22 | server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the | 
|---|
| 23 | <code class="option">subjectAltName</code> certificate extension. More details on server certificate names are in <a class="ulink" href="http://rfc.net/rfc2830.html" target="_top">RFC2830</a>. | 
|---|
| 24 | </p></div><p> | 
|---|
| 25 | We will discuss this more in the next sections. | 
|---|
| 26 | </p></div><div class="sect1" title="Configuring"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-config-ldap-tls"></a>Configuring</h2></div></div></div><p> | 
|---|
| 27 | <a class="indexterm" name="id451137"></a> | 
|---|
| 28 | Now on to the good bit. | 
|---|
| 29 | </p><div class="sect2" title="Generating the Certificate Authority"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-certs"></a>Generating the Certificate Authority</h3></div></div></div><p> | 
|---|
| 30 | <a class="indexterm" name="id451160"></a> | 
|---|
| 31 | In order to create the relevant certificates, we need to become our own Certificate Authority (CA). | 
|---|
| 32 | <sup>[<a name="id451170" href="#ftn.id451170" class="footnote">8</a>]</sup> This is necessary, so we can sign the server certificate. | 
|---|
| 33 | </p><p> | 
|---|
| 34 | <a class="indexterm" name="id451197"></a> | 
|---|
| 35 | We will be using the <a class="ulink" href="http://www.openssl.org" target="_top">OpenSSL</a> <sup>[<a name="id451210" href="#ftn.id451210" class="footnote">9</a>]</sup> software for this, which is included with every great <span class="trademark">Linux</span>® distribution. | 
|---|
| 36 | </p><p> | 
|---|
| 37 | TLS is used for many types of servers, but the instructions<sup>[<a name="id451226" href="#ftn.id451226" class="footnote">10</a>]</sup> presented here, are tailored for <span class="application">OpenLDAP</span>. | 
|---|
| 38 | </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> | 
|---|
| 39 | The <span class="emphasis"><em>Common Name (CN)</em></span>, in the following example, <span class="emphasis"><em>MUST</em></span> be | 
|---|
| 40 | the fully qualified domain name (FQDN) of your ldap server. | 
|---|
| 41 | </p></div><p> | 
|---|
| 42 | First we need to generate the CA: | 
|---|
| 43 | </p><pre class="screen" width="90"> | 
|---|
| 44 | <code class="computeroutput"> | 
|---|
| 45 | <code class="prompt">root# </code> mkdir myCA | 
|---|
| 46 | </code> | 
|---|
| 47 | </pre><p> | 
|---|
| 48 | Move into that directory: | 
|---|
| 49 | </p><pre class="screen" width="90"> | 
|---|
| 50 | <code class="computeroutput"> | 
|---|
| 51 | <code class="prompt">root# </code> cd myCA | 
|---|
| 52 | </code> | 
|---|
| 53 | </pre><p> | 
|---|
| 54 | Now generate the CA:<sup>[<a name="id451298" href="#ftn.id451298" class="footnote">11</a>]</sup> | 
|---|
| 55 | </p><pre class="screen" width="90"> | 
|---|
| 56 | <code class="computeroutput"> | 
|---|
| 57 | <code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -newca | 
|---|
| 58 | CA certificate filename (or enter to create) | 
|---|
| 59 |  | 
|---|
| 60 | Making CA certificate ... | 
|---|
| 61 | Generating a 1024 bit RSA private key | 
|---|
| 62 | .......................++++++ | 
|---|
| 63 | .............................++++++ | 
|---|
| 64 | writing new private key to './demoCA/private/cakey.pem' | 
|---|
| 65 | Enter PEM pass phrase: | 
|---|
| 66 | Verifying - Enter PEM pass phrase: | 
|---|
| 67 | ----- | 
|---|
| 68 | You are about to be asked to enter information that will be incorporated | 
|---|
| 69 | into your certificate request. | 
|---|
| 70 | What you are about to enter is what is called a Distinguished Name or a DN. | 
|---|
| 71 | There are quite a few fields but you can leave some blank | 
|---|
| 72 | For some fields there will be a default value, | 
|---|
| 73 | If you enter '.', the field will be left blank. | 
|---|
| 74 | ----- | 
|---|
| 75 | Country Name (2 letter code) [AU]:AU | 
|---|
| 76 | State or Province Name (full name) [Some-State]:NSW | 
|---|
| 77 | Locality Name (eg, city) []:Sydney | 
|---|
| 78 | Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas | 
|---|
| 79 | Organizational Unit Name (eg, section) []:IT | 
|---|
| 80 | Common Name (eg, YOUR name) []:ldap.abmas.biz | 
|---|
| 81 | Email Address []:support@abmas.biz | 
|---|
| 82 | </code> | 
|---|
| 83 | </pre><p> | 
|---|
| 84 | </p><p> | 
|---|
| 85 | There are some things to note here. | 
|---|
| 86 | </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> | 
|---|
| 87 | You <span class="emphasis"><em>MUST</em></span> remember the password, as we will need | 
|---|
| 88 | it to sign the server certificate.. | 
|---|
| 89 | </p></li><li class="listitem"><p> | 
|---|
| 90 | The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be the | 
|---|
| 91 | fully qualified domain name (FQDN) of your ldap server. | 
|---|
| 92 | </p></li></ol></div></div><div class="sect2" title="Generating the Server Certificate"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-server"></a>Generating the Server Certificate</h3></div></div></div><p> | 
|---|
| 93 | Now we need to generate the server certificate: | 
|---|
| 94 | </p><pre class="screen" width="90"> | 
|---|
| 95 | <code class="computeroutput"> | 
|---|
| 96 | <code class="prompt">root# </code> openssl req -new -nodes -keyout newreq.pem -out newreq.pem | 
|---|
| 97 | Generating a 1024 bit RSA private key | 
|---|
| 98 | .............++++++ | 
|---|
| 99 | ........................................................++++++ | 
|---|
| 100 | writing new private key to 'newreq.pem' | 
|---|
| 101 | ----- | 
|---|
| 102 | You are about to be asked to enter information that will be incorporated | 
|---|
| 103 | into your certificate request. | 
|---|
| 104 | What you are about to enter is what is called a Distinguished Name or a DN. | 
|---|
| 105 | There are quite a few fields but you can leave some blank | 
|---|
| 106 | For some fields there will be a default value, | 
|---|
| 107 | If you enter '.', the field will be left blank. | 
|---|
| 108 | ----- | 
|---|
| 109 | Country Name (2 letter code) [AU]:AU | 
|---|
| 110 | State or Province Name (full name) [Some-State]:NSW | 
|---|
| 111 | Locality Name (eg, city) []:Sydney | 
|---|
| 112 | Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abmas | 
|---|
| 113 | Organizational Unit Name (eg, section) []:IT | 
|---|
| 114 | Common Name (eg, YOUR name) []:ldap.abmas.biz | 
|---|
| 115 | Email Address []:support@abmas.biz | 
|---|
| 116 |  | 
|---|
| 117 | Please enter the following 'extra' attributes | 
|---|
| 118 | to be sent with your certificate request | 
|---|
| 119 | A challenge password []: | 
|---|
| 120 | An optional company name []: | 
|---|
| 121 | </code> | 
|---|
| 122 | </pre><p> | 
|---|
| 123 | </p><p> | 
|---|
| 124 | Again, there are some things to note here. | 
|---|
| 125 | </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> | 
|---|
| 126 | You should <span class="emphasis"><em>NOT</em></span> enter a password. | 
|---|
| 127 | </p></li><li class="listitem"><p> | 
|---|
| 128 | The <span class="emphasis"><em>Common Name (CN)</em></span>, <span class="emphasis"><em>MUST</em></span> be | 
|---|
| 129 | the fully qualified domain name (FQDN) of your ldap server. | 
|---|
| 130 | </p></li></ol></div><p> | 
|---|
| 131 | Now we sign the certificate with the new CA: | 
|---|
| 132 | </p><pre class="screen" width="90"> | 
|---|
| 133 | <code class="computeroutput"> | 
|---|
| 134 | <code class="prompt">root# </code> /usr/share/ssl/misc/CA.pl -sign | 
|---|
| 135 | Using configuration from /etc/ssl/openssl.cnf | 
|---|
| 136 | Enter pass phrase for ./demoCA/private/cakey.pem: | 
|---|
| 137 | Check that the request matches the signature | 
|---|
| 138 | Signature ok | 
|---|
| 139 | Certificate Details: | 
|---|
| 140 | Serial Number: 1 (0x1) | 
|---|
| 141 | Validity | 
|---|
| 142 | Not Before: Mar  6 18:22:26 2005 EDT | 
|---|
| 143 | Not After : Mar  6 18:22:26 2006 EDT | 
|---|
| 144 | Subject: | 
|---|
| 145 | countryName               = AU | 
|---|
| 146 | stateOrProvinceName       = NSW | 
|---|
| 147 | localityName              = Sydney | 
|---|
| 148 | organizationName          = Abmas | 
|---|
| 149 | organizationalUnitName    = IT | 
|---|
| 150 | commonName                = ldap.abmas.biz | 
|---|
| 151 | emailAddress              = support@abmas.biz | 
|---|
| 152 | X509v3 extensions: | 
|---|
| 153 | X509v3 Basic Constraints: | 
|---|
| 154 | CA:FALSE | 
|---|
| 155 | Netscape Comment: | 
|---|
| 156 | OpenSSL Generated Certificate | 
|---|
| 157 | X509v3 Subject Key Identifier: | 
|---|
| 158 | F7:84:87:25:C4:E8:46:6D:0F:47:27:91:F0:16:E0:86:6A:EE:A3:CE | 
|---|
| 159 | X509v3 Authority Key Identifier: | 
|---|
| 160 | keyid:27:44:63:3A:CB:09:DC:B1:FF:32:CC:93:23:A4:F1:B4:D5:F0:7E:CC | 
|---|
| 161 | DirName:/C=AU/ST=NSW/L=Sydney/O=Abmas/OU=IT/ | 
|---|
| 162 | CN=ldap.abmas.biz/emailAddress=support@abmas.biz | 
|---|
| 163 | serial:00 | 
|---|
| 164 |  | 
|---|
| 165 | Certificate is to be certified until Mar  6 18:22:26 2006 EDT (365 days) | 
|---|
| 166 | Sign the certificate? [y/n]:y | 
|---|
| 167 |  | 
|---|
| 168 |  | 
|---|
| 169 | 1 out of 1 certificate requests certified, commit? [y/n]y | 
|---|
| 170 | Write out database with 1 new entries | 
|---|
| 171 | Data Base Updated | 
|---|
| 172 | Signed certificate is in newcert.pem | 
|---|
| 173 | </code> | 
|---|
| 174 | </pre><p> | 
|---|
| 175 | </p><p> | 
|---|
| 176 | That completes the server certificate generation. | 
|---|
| 177 | </p></div><div class="sect2" title="Installing the Certificates"><div class="titlepage"><div><div><h3 class="title"><a name="s1-config-ldap-tls-install"></a>Installing the Certificates</h3></div></div></div><p> | 
|---|
| 178 | Now we need to copy the certificates to the right configuration directories, | 
|---|
| 179 | rename them at the same time (for convenience), change the ownership and | 
|---|
| 180 | finally the permissions: | 
|---|
| 181 | </p><pre class="screen" width="90"> | 
|---|
| 182 | <code class="computeroutput"> | 
|---|
| 183 | <code class="prompt">root# </code> cp demoCA/cacert.pem /etc/openldap/ | 
|---|
| 184 | <code class="prompt">root# </code> cp newcert.pem /etc/openldap/servercrt.pem | 
|---|
| 185 | <code class="prompt">root# </code> cp newreq.pem /etc/openldap/serverkey.pem | 
|---|
| 186 | <code class="prompt">root# </code> chown ldap.ldap /etc/openldap/*.pem | 
|---|
| 187 | <code class="prompt">root# </code> chmod 640 /etc/openldap/cacert.pem; | 
|---|
| 188 | <code class="prompt">root# </code> chmod 600 /etc/openldap/serverkey.pem | 
|---|
| 189 | </code> | 
|---|
| 190 | </pre><p> | 
|---|
| 191 | </p><p> | 
|---|
| 192 | Now we just need to add these locations to <code class="filename">slapd.conf</code>, | 
|---|
| 193 | anywhere before the <code class="option">database</code> declaration as shown here: | 
|---|
| 194 | </p><pre class="screen" width="90"> | 
|---|
| 195 | <code class="computeroutput"> | 
|---|
| 196 | TLSCertificateFile /etc/openldap/servercrt.pem | 
|---|
| 197 | TLSCertificateKeyFile /etc/openldap/serverkey.pem | 
|---|
| 198 | TLSCACertificateFile /etc/openldap/cacert.pem | 
|---|
| 199 | </code> | 
|---|
| 200 | </pre><p> | 
|---|
| 201 | </p><p> | 
|---|
| 202 | Here is the declaration and <code class="filename">ldap.conf</code>: | 
|---|
| 203 | <code class="filename">ldap.conf</code> | 
|---|
| 204 | </p><pre class="screen" width="90"> | 
|---|
| 205 | <code class="computeroutput"> | 
|---|
| 206 | TLS_CACERT /etc/openldap/cacert.pem | 
|---|
| 207 | </code> | 
|---|
| 208 | </pre><p> | 
|---|
| 209 | </p><p> | 
|---|
| 210 | That's all there is to it. Now on to <a class="xref" href="ch-ldap-tls.html#s1-test-ldap-tls" title="Testing">the section called “Testing”</a> | 
|---|
| 211 | </p></div></div><div class="sect1" title="Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-test-ldap-tls"></a>Testing</h2></div></div></div><p> | 
|---|
| 212 | <a class="indexterm" name="id451662"></a> | 
|---|
| 213 | This is the easy part. Restart the server: | 
|---|
| 214 | </p><pre class="screen" width="90"> | 
|---|
| 215 | <code class="computeroutput"> | 
|---|
| 216 | <code class="prompt">root# </code> /etc/init.d/ldap restart | 
|---|
| 217 | Stopping slapd:                                            [  OK  ] | 
|---|
| 218 | Checking configuration files for slapd: config file testing succeeded | 
|---|
| 219 | Starting slapd:                                            [  OK  ] | 
|---|
| 220 | </code> | 
|---|
| 221 | </pre><p> | 
|---|
| 222 | Then, using <code class="literal">ldapsearch</code>, test an anonymous search with the | 
|---|
| 223 | <code class="option">-ZZ</code><sup>[<a name="id451701" href="#ftn.id451701" class="footnote">12</a>]</sup> option: | 
|---|
| 224 | </p><pre class="screen" width="90"> | 
|---|
| 225 | <code class="computeroutput"> | 
|---|
| 226 | <code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ | 
|---|
| 227 | -H 'ldap://ldap.abmas.biz:389' -ZZ | 
|---|
| 228 | </code> | 
|---|
| 229 | </pre><p> | 
|---|
| 230 | Your results should be the same as before you restarted the server, for example: | 
|---|
| 231 | </p><pre class="screen" width="90"> | 
|---|
| 232 | <code class="computeroutput"> | 
|---|
| 233 | <code class="prompt">root# </code> ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ | 
|---|
| 234 | -H 'ldap://ldap.abmas.biz:389' -ZZ | 
|---|
| 235 |  | 
|---|
| 236 | # extended LDIF | 
|---|
| 237 | # | 
|---|
| 238 | # LDAPv3 | 
|---|
| 239 | # base <> with scope sub | 
|---|
| 240 | # filter: (objectclass=*) | 
|---|
| 241 | # requesting: ALL | 
|---|
| 242 | # | 
|---|
| 243 |  | 
|---|
| 244 | # abmas.biz | 
|---|
| 245 | dn: dc=ldap,dc=abmas,dc=biz | 
|---|
| 246 | objectClass: dcObject | 
|---|
| 247 | objectClass: organization | 
|---|
| 248 | o: Abmas | 
|---|
| 249 | dc: abmas | 
|---|
| 250 |  | 
|---|
| 251 | # Manager, ldap.abmas.biz | 
|---|
| 252 | dn: cn=Manager,dc=ldap,dc=abmas,dc=biz | 
|---|
| 253 | objectClass: organizationalRole | 
|---|
| 254 | cn: Manager | 
|---|
| 255 |  | 
|---|
| 256 | # ABMAS, abmas.biz | 
|---|
| 257 | dn: sambaDomainName=ABMAS,dc=ldap,dc=abmas,dc=biz | 
|---|
| 258 | sambaDomainName: ABMAS | 
|---|
| 259 | sambaSID: S-1-5-21-238355452-1056757430-1592208922 | 
|---|
| 260 | sambaAlgorithmicRidBase: 1000 | 
|---|
| 261 | objectClass: sambaDomain | 
|---|
| 262 | sambaNextUserRid: 67109862 | 
|---|
| 263 | sambaNextGroupRid: 67109863 | 
|---|
| 264 | </code> | 
|---|
| 265 | </pre><p> | 
|---|
| 266 | If you have any problems, please read <a class="xref" href="ch-ldap-tls.html#s1-int-ldap-tls" title="Troubleshooting">the section called “Troubleshooting”</a> | 
|---|
| 267 | </p></div><div class="sect1" title="Troubleshooting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="s1-int-ldap-tls"></a>Troubleshooting</h2></div></div></div><p> | 
|---|
| 268 | <a class="indexterm" name="id451783"></a> | 
|---|
| 269 | The most common error when configuring TLS, as I have already mentioned numerous times, is that the | 
|---|
| 270 | <span class="emphasis"><em>Common Name (CN)</em></span> you entered in <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-server" title="Generating the Server Certificate">the section called “Generating the Server Certificate”</a> is | 
|---|
| 271 | <span class="emphasis"><em>NOT</em></span> the Fully Qualified Domain Name (FQDN) of your ldap server. | 
|---|
| 272 | </p><p> | 
|---|
| 273 | Other errors could be that you have a typo somewhere in your <code class="literal">ldapsearch</code> command, or that | 
|---|
| 274 | your have the wrong permissions on the <code class="filename">servercrt.pem</code> and <code class="filename">cacert.pem</code> | 
|---|
| 275 | files. They should be set with <code class="literal">chmod 640</code>, as per <a class="xref" href="ch-ldap-tls.html#s1-config-ldap-tls-install" title="Installing the Certificates">the section called “Installing the Certificates”</a>. | 
|---|
| 276 | </p><p> | 
|---|
| 277 | For anything else, it's best to read through your ldap logfile or join the <span class="application">OpenLDAP</span> mailing list. | 
|---|
| 278 | </p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id451170" href="#id451170" class="para">8</a>] </sup>We could however, get our generated server certificate signed by proper CAs, like <a class="ulink" href="http://www.thawte.com/" target="_top">Thawte</a> and <a class="ulink" href="http://www.verisign.com/" target="_top">VeriSign</a>, which | 
|---|
| 279 | you pay for, or the free ones, via <a class="ulink" href="http://www.cacert.org/" target="_top">CAcert</a> | 
|---|
| 280 | </p></div><div class="footnote"><p><sup>[<a name="ftn.id451210" href="#id451210" class="para">9</a>] </sup>The downside to | 
|---|
| 281 | making our own CA, is that the certificate is not automatically recognized by clients, like the commercial | 
|---|
| 282 | ones are.</p></div><div class="footnote"><p><sup>[<a name="ftn.id451226" href="#id451226" class="para">10</a>] </sup>For information straight from the | 
|---|
| 283 | horse's mouth, please visit <a class="ulink" href="http://www.openssl.org/docs/HOWTO/" target="_top">http://www.openssl.org/docs/HOWTO/</a>; the main OpenSSL | 
|---|
| 284 | site.</p></div><div class="footnote"><p><sup>[<a name="ftn.id451298" href="#id451298" class="para">11</a>] </sup>Your <code class="filename">CA.pl</code> or <code class="filename">CA.sh</code> might not be | 
|---|
| 285 | in the same location as mine is, you can find it by using the <code class="literal">locate</code> command, i.e., | 
|---|
| 286 | <code class="literal">locate CA.pl</code>.  If the command complains about the database being too old, run | 
|---|
| 287 | <code class="literal">updatedb</code> as <span class="emphasis"><em>root</em></span> to update it.</p></div><div class="footnote"><p><sup>[<a name="ftn.id451701" href="#id451701" class="para">12</a>] </sup>See <code class="literal">man ldapsearch</code></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="speed.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Appendix.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ch47.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 45. Samba Performance Tuning </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 47. Samba Support</td></tr></table></div></body></html> | 
|---|