Recently in HOWTO Category

HOWTO: "Fix" Secure LDAP in PHP

By Patrick on September 10, 2005 8:58 AM |

Preface: I am not an expert in encryption, SSL, or LDAP. Your install may be functioning just fine and you don’t need any of this information. You use this at your own risk as it may be completely wrong. That being said, it worked for me.

Making a secure (ldaps) connection in PHP (php-4.3.9-3.8) on Red Hat Enterprise Linux AS release 4 (Nahant Update 1) will fail if on ldap_connect (Error -1: Can’t connect to LDAP server) if the certificate cannot be verified. Due to the release of a new intermediate certificate from Verisign, it is likely that your install of openssl will not have access to that intermediate cert. Thus openssl will tell you that there is a self-signed certificate in the chain (error -19). If you recently bought a certificate from Verisign you will not find much in the way of help for dealing with LDAP, PHP, or openssl.

The answer with web servers is generally well documented, and the intermediate certificate is made available to the server to send to the client. This is good because it means that 8 trillion web browsers don’t generally need to be updated to use SSL.

It should also be noted that it is probably best to “fix” this issue at the server level rather than the client because each and every client would need to be fixed as opposed to just fixing the server once. If you do not have access to the server to fix it, this should work for you.

  1. Obtain a copy of the Verisign intermediate certificate. Save it as a text file on a system where you can run openssl binaries.

  2. Convert from PEM to ca-bundle format. Save this output as you may need to do the next few steps on multiple servers.

    #!/bin/sh
# Friendly Name
openssl x509 -in $1 -text -noout | \
sed -n -e '/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}' 
# Underline Friendly Name with equal signs
openssl x509 -in $1 -text -noout | \
sed -n -e '/^[ ]\+Subject:/{s/^.*CN=\([^,]*\).*/\1/;p}' | \
sed -e 's/./=/g'
# Output Fingerprint and swap = for :
openssl x509 -in $1 -noout -fingerprint | sed -e 's/=/: /'
# Output PEM Data:
echo 'PEM Data:'
# Output Certificate
openssl x509 -in $1
# Output Cettificate text swapping Certificate with Certificate Ingredients
openssl x509 -in $1 -text -noout | sed -e 's/^Certificate:/Certificate Ingredients:/'

  3. Locate and backup your ca-bundle.crt

    locate ca-bundle.crt should show you where on your system this file lives. On RHEL /usr/share/ssl/cert.pem is also symlinked to your ca-bundle.crt.

  4. Append the converted intermediate certificate to your ca-bundle.crt file.

    You can now test using the openssl command:

    openssl s_client -host your.ldap.edu -port 636 -CAfile /usr/share/ssl/certs/ca-bundle.crt.

    A Verify return code: 0 (ok) is what you are looking for.

  5. Configure OpenLDAP on the system that PHP is running on to use your ca-bundle.crt.

    Locate your ldap.conf for OpenLDAP. On RHEL it is /etc/openldap/ldap.conf.

    Add the following: TLS_CACERT /usr/share/ssl/cert.pem (which on RHEL is a symlink to ca-bundle.crt). Thanks to Rutgers for this tidbit.

  6. Restart httpd.

PHP should now successfully connect securely to your LDAP server.

Errata

Added restart of httpd (2005-09-10 11:52:00)

HOWTO: Add Flickr Tags with Movable Type Keywords

By Patrick on February 5, 2005 9:50 AM |

This HOWTO is incredibly similar to the docs for the KeyWordList plugin itself. I only add how to incorporate the MTIfEmpty plugin so you don't have to worry about blank output when you haven't entered any keywords on some of your posts.

First you need some MT plugins.

Now you need to modify the template where you want the tags to appear. It needs to be inside an <MTEntries> block.

<MTIfNotEmpty expr="[MTKeyWordList]1[/MTKeyWordList]">
Flickr tags: 
<MTKeyWordList>
<a href="http://flickr.com/photos/tags/<$MTKeyWord$>" rel="tag"><$MTKeyWord$></a> 
</MTKeyWordList>
</MTIfNotEmpty>

The MTIfNotEmpty is used to check for the existence of one or more keywords. If you don't have any keywords, you probably don't want to have any output (a dangling 'Flickr tags:' in my case). MTKeyWordList will then loop over all your keywords for that post and, in this case, make links to Flickr tags. You can obviously make links to other services (Technorati, del.icio.us, etc...) and you can do anything you want HTML-wise. I'm sure all the semantic web weenies would be screaming about how I'm not using a list for what clearly is a list. That is, if anyone read this of course.

I'm using this in MT 3.15 and I've used similar hacks in MT 2.5x - 2.6x. So you should be good to go.

« GTD | Main Index | Archives | Humor »

About this Archive

This page is a archive of recent entries in the HOWTO category.

GTD is the previous category.

Humor is the next category.

Find recent content on the main index or look in the archives to find all content.

Powered by Movable Type 4.01