Institutional Knowledge

A huge thanks to Andrej Ciho for posting his HOWTO CAS-ify Wordpress MU. This could be a big help for us, and many other institutions that are using CAS.

It all started out innocently enough…a JIRA issue for me to install the PHP XSLT module. How hard could it be? When you ask yourself that question immediately realize that you are in trouble.

You’re running the stock RedHat PHP rpm. RedHat Network doesn’t provide an rpm for php-xslt. So you need to build a php-xslt rpm from source. How do you do that and avoid all the issues we ran into? Good question.

1. Get and build a js rpm from source.
   1. rpm -i js-version.srpm
   2. rpmbuild -bb /usr/src/redhat/SPECS/js.spec
   3. install js and js-devel rpms
2. Get and build a sablotron rpm from source. You need to build from source to avoid problems later on that I will explain.
   1. rpm -i sablotron-version.srpm
   2. Edit /usr/src/redhat/SPECS/sablotron.spec to remove the --with-readline configure option. If PHP tries to load a module that dynamically links to readline, it will barf.
   3. rpmbuild -bb /usr/src/redhat/SPECS/sablotron.spec
   4. install sablotron and sablotron-devel rpms
3. Get and install php source from RHN
   1. up2date --get-source php
   2. rpm -i /var/spool/up2date/php-version.srpm
4. Patch php.spec to enable php-xslt. A patch that works against php-4.3.9-3.15 is available here or here.
   1. cd /usr/src/redhat
   2. patch -p0 < /path/to/patch (You should see that 5 hunks succeeded.)
   3. Edit php.spec so that %{!?xslt:%define xslt 0} says %{!?xslt:%define xslt 1}
5. Build and install php
   1. rpmbuild --bb /usr/src/redhat/SPECS/php.spec
   2. rpm -U --replacepkgs --force --hash /path/to/php /path/to/php-xslt
   3. service httpd reload

How hard could it be, indeed…

Technorati tags: php, xslt, rhel

…where the rain gets in \ and stops my mind from wandering…

While working on a new design for the CAS login page I ran across a bug where a background imagine would not properly attach itself to the bottom of a screen. The odd thing was that the rendering error only appeared in Firefox.

This bug also affects the CSU Chico home page.

After some research, I discovered that I had omitted the background-attachment property for the body tag. By default the attachment is set to scroll and by simply defining the attachment as fixed, I was able to cure the Firefox bug (which may have actually be an all other browsers are broke bug).

Original Code

Fixed Code

So to the unsung maintainer of the CSS code base for the CSU Chico homepage, if you’re curious why this is happening, here’s the solution.

Today we saw a preview of the new English Department website that featured a directory listing of faculty members. Here’s an example sample of some of the markup for one faculty member

If we add a few classes to this existing structure (plus a few @span@s) we could make the site microformat compatible.

Bam! Microformat compatible.

Preface: I am not an expert in encryption, SSL, or LDAP. Your install may be functioning just fine and you don’t need any of this information. You use this at your own risk as it may be completely wrong. That being said, it worked for me.

Making a secure (ldaps) connection in PHP (php-4.3.9-3.8) on Red Hat Enterprise Linux AS release 4 (Nahant Update 1) will fail if on ldap_connect (“Error -1: Can’t connect to LDAP server”) if the certificate cannot be verified. Due to the release of a new intermediate certificate from Verisign, it is likely that your install of openssl will not have access to that intermediate cert. Thus openssl will tell you that there is a self-signed certificate in the chain (“Error -19”). If you recently bought a certificate from Verisign you will not find much in the way of help for dealing with LDAP, PHP, or openssl.

The answer with web servers is generally well documented, and the intermediate certificate is made available to the server to send to the client. This is good because it means that 8 trillion web browsers don’t generally need to be updated to use SSL.

It should also be noted that it is probably best to “fix” this issue at the server level rather than the client because each and every client would need to be fixed as opposed to just fixing the server once. If you do not have access to the server to fix it, this should work for you.

1. Obtain a copy of the Verisign intermediate certificate. Save it as a text file on a system where you can run openssl binaries.

2. Convert from PEM to ca-bundle format (*Update:* There is a updated script for BSD sed if you are on OS X). Save this output as you may need to do the next few steps on multiple servers.

   PLAIN TEXT
   CODE:
   

   1. #!/bin/sh
   2. # Friendly Name
   3. openssl x509 -in $1 -text -noout | \
   4. sed -n -e ’/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}’
   5. # Underline Friendly Name with equal signs
   6. openssl x509 -in $1 -text -noout | \
   7. sed -n -e ’/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}’ | \
   8. sed -e ’s/./=/g’
   9. # Output Fingerprint and swap = for :
   10. openssl x509 -in $1 -noout -fingerprint | sed -e ’s/=/: /’
   11. # Output PEM Data:
   12. echo ‘PEM Data:’
   13. # Output Certificate
   14. openssl x509 -in $1
   15. # Output Cettificate text swapping Certificate with Certificate Ingredients
   16. openssl x509 -in $1 -text -noout | sed -e ’s/^Certificate:/Certificate Ingredients:/’
   
   

3. Locate and backup your ca-bundle.crt

   locate ca-bundle.crt should show you where on your system this file lives. On RHEL /usr/share/ssl/cert.pem is also symlinked to your ca-bundle.crt.

4. Append the converted intermediate certificate to your ca-bundle.crt file.

   You can now test using the openssl command:

   openssl s_client -host your.ldap.edu -port 636 -CAfile /usr/share/ssl/certs/ca-bundle.crt.

   A Verify return code: 0 (ok) is what you are looking for.

5. Configure OpenLDAP on the system that PHP is running on to use your ca-bundle.crt.

   Locate your ldap.conf for OpenLDAP. On RHEL it is /etc/openldap/ldap.conf.

   Add the following: TLS_CACERT /usr/share/ssl/cert.pem (which on RHEL is a symlink to ca-bundle.crt). Thanks to Rutgers for this tidbit.

6. Restart httpd.

PHP should now successfully connect securely to your LDAP server.

Errata

Added restart of httpd (2005-09-10 11:52:00)