Recently in Computers Category
Without a hint of irony I can tell you that Mark Pilgrim's Remote Mac HOWTO is the best (read: easiest to understand) tutorial for using all the cool ssh tools on Windows that I have seen.
Preface: I am not an expert in encryption, SSL, or LDAP. Your install may be functioning just fine and you don’t need any of this information. You use this at your own risk as it may be completely wrong. That being said, it worked for me.
Making a secure (ldaps) connection in PHP (php-4.3.9-3.8) on Red Hat Enterprise Linux AS release 4 (Nahant Update 1) will fail if on ldap_connect (Error -1: Can’t connect to LDAP server) if the certificate cannot be verified. Due to the release of a new intermediate certificate from Verisign, it is likely that your install of openssl will not have access to that intermediate cert. Thus openssl will tell you that there is a self-signed certificate in the chain (error -19). If you recently bought a certificate from Verisign you will not find much in the way of help for dealing with LDAP, PHP, or openssl.
The answer with web servers is generally well documented, and the intermediate certificate is made available to the server to send to the client. This is good because it means that 8 trillion web browsers don’t generally need to be updated to use SSL.
It should also be noted that it is probably best to “fix” this issue at the server level rather than the client because each and every client would need to be fixed as opposed to just fixing the server once. If you do not have access to the server to fix it, this should work for you.
Obtain a copy of the Verisign intermediate certificate. Save it as a text file on a system where you can run openssl binaries.
Convert from PEM to ca-bundle format. Save this output as you may need to do the next few steps on multiple servers.
#!/bin/sh # Friendly Name openssl x509 -in $1 -text -noout | \ sed -n -e '/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}' # Underline Friendly Name with equal signs openssl x509 -in $1 -text -noout | \ sed -n -e '/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}' | \ sed -e 's/./=/g' # Output Fingerprint and swap = for : openssl x509 -in $1 -noout -fingerprint | sed -e 's/=/: /' # Output PEM Data: echo 'PEM Data:' # Output Certificate openssl x509 -in $1 # Output Cettificate text swapping Certificate with Certificate Ingredients openssl x509 -in $1 -text -noout | sed -e 's/^Certificate:/Certificate Ingredients:/'Locate and backup your ca-bundle.crt
locate ca-bundle.crtshould show you where on your system this file lives. On RHEL/usr/share/ssl/cert.pemis also symlinked to your ca-bundle.crt.Append the converted intermediate certificate to your ca-bundle.crt file.
You can now test using the openssl command:
openssl s_client -host your.ldap.edu -port 636 -CAfile /usr/share/ssl/certs/ca-bundle.crt.A
Verify return code: 0 (ok)is what you are looking for.Configure OpenLDAP on the system that PHP is running on to use your ca-bundle.crt.
Locate your ldap.conf for OpenLDAP. On RHEL it is
/etc/openldap/ldap.conf.Add the following:
TLS_CACERT /usr/share/ssl/cert.pem(which on RHEL is a symlink to ca-bundle.crt). Thanks to Rutgers for this tidbit.Restart httpd.
PHP should now successfully connect securely to your LDAP server.
Errata
Added restart of httpd (2005-09-10 11:52:00)
So I sat down to write a thoughtful "update" of my software RAID problem and it turns out I never wrote the original piece. Oops. So, first the update. Things are fine.
Now the backstory...
A few days ago I got a rather scary e-mail from mdadm saying that a Fail event had been detected on md device /dev/md1. That is the root partition in a software RAID array on a RHEL 3.0 box. Uh-oh. It didn't sound good and yet the box was running along just fine. This was because the RAID array did it's job. Yay.
Between then and now we have correspondence with the main IT people. But we'll just skip over that part. The solution, provided by a kind friend over irc, was pretty simple. Run raidhotremove and then raidhotadd. Then the magic will start to happen. Of course you have to check /proc/mdstat to actually see the magic happening.
md1 : active raid1 sdb2[2] sda2[0]
34435200 blocks [2/1] [U_]
[=========>...........] recovery = 48.2% (16607936/34435200) finish=52.0min speed=5706K/sec
Things you never want to see first thing in the morning:
kernel: Out of Memory: Killed process 18592 (mysqld)
You also hate to see the kernel have to whack 134 processes trying to get a hold of enough memory to operate.
Sometimes the bold talk of company executives doesn't really match up with what you see on the "front lines." But hey, that's why they get paid the big bucks, right?
A little birdie:
...tomorrow Activision is going to announce that DOOM 3 has been shipped to retailers.
I guess that's like, big or something.
Today Comcast shows up to install a cable modem. Next month my year of SBC DSL is up and I can give them the finger cancel my service.
Update: Well, it's a bit spotty right now. Hopefully it's just early rollout jitters...still, even when it sucks it's better than what I had with DSL.
