If you’re using RHEL you probably work in an environment where you don’t have root and the sysadmin will not just let you install random stuff you compiled, assuming gcc is installed at all. Even if you do have an area to install something from source, you’re now stuck with maintaining it. Enter EPEL, a community effort to take Fedora packages and make them available for RHEL 4 and 5. The list of packages is quite impressive, including painful things like php-mssql (for connecting PHP to Microsoft SQLServer).

Apart from providing packages, what it really provides is a sustainable way for your sysadmin to install and maintain packages that RedHat Network doesn’t provide. The basic setup is that your sysadmin installs a configuration RPM, which drops in the yum repository file and the GPG key used to verify the packages, and then just use yum like they normally would.

So, no more installing git from source.

is only avaliable [sic] with the XS version at /usr/lib/perl5/site_perl/5.8.5/IO/Socket/SSL.pm, line 30

I say seemingly because you know you didn’t change anything about IO::Socket::SSL. A few Google searches will at least fill in the blank before the is and tell you that LDAPS is unhappy.

If you are running RHEL 4, you probably had to install IO::Socket::SSL from CPAN. RedHat updated Perl 5.8.5 and some modules that required the XS (interface to use compiled C libraries in modules) version of Scalar::List::Utils. I’m not sure exactly what broke, but the easiest fix is to update IO::Socket::SSL from CPAN and it will update Scalar::List::Utils and all will be well.

rpm -qp --scripts some-package.rpm > rpmscript.sh

Also handy in this context is seeing what files are in the package and where they will be installed.

rpm -qlp some-package.rpm

You may want to specify a build target in the rpmbuild step, although I’m not sure how much performance gain you would get, especially if all the glibc libraries are i386.

pear upgrade Date
downloading Date-1.4.7.tgz ...
Starting to download Date-1.4.7.tgz (55,754 bytes)
.............done: 55,754 bytes
No handlers for package.xml version 2.0

You can’t upgrade PEAR using pear upgrade PEAR because you need at least pear-1.3.3 to get to the latest version.

requires package `PEAR' >= 1.3.3
PEAR: Dependencies failed

Solution:

1. Download PEAR 1.3.3
2. Install with pear upgrade /path/to/pear-1.3.3
3. Upgrade PEAR with pear upgrade pear
4. Optional: Upgrade your existing packages with pear upgrade-all

You may now install packages that use package.xml version 2.0. You are also ahead of the game with regard to RPMs. The next RHN update may hose what you have just done. You should probably consider marking php-pear as a package to ignore.

Update: As noted in the comments, you will need to upgrade to 1.4.11 before you can upgrade to 1.5.0.

You’re running the stock RedHat PHP rpm. RedHat Network doesn’t provide an rpm for php-xslt. So you need to build a php-xslt rpm from source. How do you do that and avoid all the issues we ran into? Good question.

1. Get and build a js rpm from source.
   1. rpm -i js-version.srpm
   2. rpmbuild -bb /usr/src/redhat/SPECS/js.spec
   3. install js and js-devel rpms
2. Get and build a sablotron rpm from source. You need to build from source to avoid problems later on that I will explain.
   1. rpm -i sablotron-version.srpm
   2. Edit /usr/src/redhat/SPECS/sablotron.spec to remove the --with-readline configure option. If PHP tries to load a module that dynamically links to readline, it will barf.
   3. rpmbuild -bb /usr/src/redhat/SPECS/sablotron.spec
   4. install sablotron and sablotron-devel rpms
3. Get and install php source from RHN
   1. up2date --get-source php
   2. rpm -i /var/spool/up2date/php-version.srpm
4. Patch php.spec to enable php-xslt. A patch that works against php-4.3.9-3.15 is available here or here.
   1. cd /usr/src/redhat
   2. patch -p0 < /path/to/patch (You should see that 5 hunks succeeded.)
   3. Edit php.spec so that %{!?xslt:%define xslt 0} says %{!?xslt:%define xslt 1}
5. Build and install php
   1. rpmbuild --bb /usr/src/redhat/SPECS/php.spec
   2. rpm -U --replacepkgs --force --hash /path/to/php /path/to/php-xslt
   3. service httpd reload

How hard could it be, indeed…

Technorati tags: php, xslt, rhel

…where the rain gets in \ and stops my mind from wandering…

While working on a new design for the CAS login page I ran across a bug where a background imagine would not properly attach itself to the bottom of a screen. The odd thing was that the rendering error only appeared in Firefox.

This bug also affects the CSU Chico home page.

After some research, I discovered that I had omitted the background-attachment property for the body tag. By default the attachment is set to scroll and by simply defining the attachment as fixed, I was able to cure the Firefox bug (which may have actually be an all other browsers are broke bug).

Original Code

Fixed Code

So to the unsung maintainer of the CSS code base for the CSU Chico homepage, if you’re curious why this is happening, here’s the solution.

If we add a few classes to this existing structure (plus a few @span@s) we could make the site microformat compatible.

Bam! Microformat compatible.

Making a secure (ldaps) connection in PHP (php-4.3.9-3.8) on Red Hat Enterprise Linux AS release 4 (Nahant Update 1) will fail if on ldap_connect (“Error -1: Can’t connect to LDAP server”) if the certificate cannot be verified. Due to the release of a new intermediate certificate from Verisign, it is likely that your install of openssl will not have access to that intermediate cert. Thus openssl will tell you that there is a self-signed certificate in the chain (“Error -19”). If you recently bought a certificate from Verisign you will not find much in the way of help for dealing with LDAP, PHP, or openssl.

The answer with web servers is generally well documented, and the intermediate certificate is made available to the server to send to the client. This is good because it means that 8 trillion web browsers don’t generally need to be updated to use SSL.

It should also be noted that it is probably best to “fix” this issue at the server level rather than the client because each and every client would need to be fixed as opposed to just fixing the server once. If you do not have access to the server to fix it, this should work for you.

1. Obtain a copy of the Verisign intermediate certificate. Save it as a text file on a system where you can run openssl binaries.

2. Convert from PEM to ca-bundle format (*Update:* There is a updated script for BSD sed if you are on OS X). Save this output as you may need to do the next few steps on multiple servers.

   PLAIN TEXT
   CODE:
   

   1. #!/bin/sh
   2. # Friendly Name
   3. openssl x509 -in $1 -text -noout | \
   4. sed -n -e ’/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}’
   5. # Underline Friendly Name with equal signs
   6. openssl x509 -in $1 -text -noout | \
   7. sed -n -e ’/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}’ | \
   8. sed -e ’s/./=/g’
   9. # Output Fingerprint and swap = for :
   10. openssl x509 -in $1 -noout -fingerprint | sed -e ’s/=/: /’
   11. # Output PEM Data:
   12. echo ‘PEM Data:’
   13. # Output Certificate
   14. openssl x509 -in $1
   15. # Output Cettificate text swapping Certificate with Certificate Ingredients
   16. openssl x509 -in $1 -text -noout | sed -e ’s/^Certificate:/Certificate Ingredients:/’
   
   

3. Locate and backup your ca-bundle.crt

   locate ca-bundle.crt should show you where on your system this file lives. On RHEL /usr/share/ssl/cert.pem is also symlinked to your ca-bundle.crt.

4. Append the converted intermediate certificate to your ca-bundle.crt file.

   You can now test using the openssl command:

   openssl s_client -host your.ldap.edu -port 636 -CAfile /usr/share/ssl/certs/ca-bundle.crt.

   A Verify return code: 0 (ok) is what you are looking for.

5. Configure OpenLDAP on the system that PHP is running on to use your ca-bundle.crt.

   Locate your ldap.conf for OpenLDAP. On RHEL it is /etc/openldap/ldap.conf.

   Add the following: TLS_CACERT /usr/share/ssl/cert.pem (which on RHEL is a symlink to ca-bundle.crt). Thanks to Rutgers for this tidbit.

6. Restart httpd.

PHP should now successfully connect securely to your LDAP server.

Errata

Added restart of httpd (2005-09-10 11:52:00)