ClearOS LDAP and remote clients.

April 12th, 2018

ClearOS is a great server with multiple management web based management tools. It also has an OpenLDAP directory server and I needed to make it work for another PHP app in my LAN. Now, getting apps to use ClearOS Directory server is not too bad if your running on a localhost install, but remote access is difficult. All the information you need is out there but not all in one place. Here is what I learned.

I wanted it to be done with TLS, more for my own satisfaction than anything. TLS works best if you have a certificate that matches the DNS record of your server. I started by creating a self signed cert with openssl. There are many ways to do this but I used:

openssl req -x509 -newkey rsa:4096 -keyout ldapkey.pem -out ldapcert.pem -nodes -days 3650

Answer the qustions however you like but remember the CN should be your ldap server DNS name.

Next task is to get slapd to use the cert. In /etc/openldap/slapd.conf I set

TLSCACertificateFile /etc/openldap/cacerts/ldapcert.pem
TLSCertificateFile /etc/openldap/cacerts/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/ldapkey.pem
TLSVerifyClient never

and put the cert files generated by openssl in the appropriate places.

In order to get slapd running I also had to comment out lines like

#TLSCACertificatePath /etc/pki/nssdb
#TLSCertificateFile Server-Cert

Then on the ClearOS Dashboard you need to set the Directory Server Publish Policy to ‘Local Network’

On the client most tools will be querying the openldap config. For Fedora, which was my client OS, that is in /etc/openldap.

Firstly I needed to install the ldapcert.pem file into /etc/openldap/certs.

Next you need to create a symlink with the name being the hash of the cert. Fortunately there is a tool and running cacertdir_rehash /etc/openldap/certs will do the job for you.

Next in /etc/openldap/ldap.conf you need to add some lines

TLS_CACERTDIR /etc/openldap/certs

There is a lot of nonsense on the internet suggesting the use of TLS_REQCERT. I’d suggest your read the ldap.conf manpage because it seems no-one else has.

Mine is using ‘demand’ (the default) with a self signed cert and is fine.

In order to test Apaches ability to let a PHP app connect to an LDAP server I slightly modified php script from


// using ldap bind
// ldap rdn or dn

$ldaprdn  = '<ClearOS BIND DN>';     

// associated password

$ldappass = '<ClearOS BIND PASSWORD>';  

// set the script to print debug info

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

// connect to ldap server
$ldapconn = ldap_connect("ldaps://<servername>:636")
    or die("Could not connect to LDAP server.");

//set php_ldap to use ldapv3 as default is v2

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";



and you can test your client configuration by running php-cgi -f .php

It has LDAP debugging on so you will be able to read all sorts of output to do with the TLS connection which I found immensely useful. You should also test it by hitting the webserver too by putting the script in the webroot and running curl If you are getting errors here then check the webserver and php logs.

Finally, I was using php-fpm on my rhel server, it has a seperate php-fpm.service that needs to be restarted along with httpd to pick up any new openldap reconfiguration on the client. Also if you are running selinux in enforcing mode you will need to run
setsebool -P httpd_can_network_connect 1

Playing with Openshift Online Starter 3 – Installing Ampache

October 13th, 2017

Heres a blog outlining how to run Ampache in the Openshift Online Starter 3 platform. It assumes a degree of familiarity with Openshift and it’s resources.

First, in a new project, create a new PHP 5.6 application from the Ampache git repo. In the advanced options enable TLS.
Then, using add to project menu and browsing the storage catalogue, add a mariadb with persistant storage.

When the pods are ready navigate to the exposed route for ampache and run the Ampache deployment wizard which will create the ampache.cfg.php file. You will need to know the mariadb secrets for the root account password and the user.

When it’s all running review the ampache.cfg.php file in the ampache pod by using the terminal. At this point if the pod goes away for any reason (scaling to 0 or node errors) the config file will be lost.

Create a config map with a key named ampache.cfg.php and put the contents of the config file in the pod in the key value. I copied the config file from git and manually made the changes as it’s only the db information that needs to be changed.

Scale the ampache down to 0

Edit the deployment configuration for ampache app to add a config file a volume. the mount point for my pod was /opt/app-root/src/config. Note that if the other files that are existing in that directory are missing Ampache will still run as they are only used as templates for headers.

Saving the config will cause a new pod to be built. I had issues with getting the new pod running due to the small quota limit in the free starter account which is why I would recommend scaling the existing pod to 0 before the deployment build is running. Then, when the deployment has finished, rescale the ampache pod back up to 1.


I would expect it to be possible to create the mariadb deployment and the config map before the ampache build but I’m not sure how the database would be populated in that scenario.

You can’t really expect to put any music in the deployment of the free account as you only have one persistent volume and that’s being used by mariadb. Ampache allows you to have another ampache instance as a music source and I used that to test. You could possibly put some music in the ampache pod but only have 1 GiB of space you’d have to keep doing it on every pod deployment. To do it at deployment you’d need to have the music in the git repo that you clone the code from. Also there will be no transcodeing.

William’s Snug

June 29th, 2014

Many of our friends will know that our boy now has an ‘official label’ of Asperger’s Syndrome, ¬†we decided that this label helped us access the help and support that would help us help him.


One of the things that was recommended was a safe snug area that he can enclose himself in if the environmental stimulus gets too much.


We are lucky in that in is bedroom he has an alcove window so we could enclose him in.

After discussion with the boy he decided that under the sea would be calming.

so here are the curtains I’ve finally finished!


Due to the location I can’t photograph the whole curtains as the boy sees them. But hopefully you’ll see the general impact.

image image image image image image image image image

Miracles, why not more?

February 5th, 2011

(NASB) Matthew 11:23 “And you, Capernaum, will not be exalted to heaven, will you? You will descend to Hades; for if the miracles had occurred in Sodom which occurred in you, it would have remained to this day.

I love the bits in the bible where Jesus appears to go off on an absolute benny. Here he is laying into Capernum just after he’s had a pop at a couple of other places and blasted the crowd at the treatment of John. Comparing cities to Sodom is tantamount to likening people to Hitler in the modern fashion. Jesus’s anger is because he’s been living there since Matthew 4. Matthew himself was from Capernum and a few other disciples besides, also a whole bunch of teachings where brought to the city. The upshot of this was a apparently a city which resolutely remained faithless.

Some people, in which I was once included, seem to think that if they were to gain a spiritual gifting then life would become plain sailing, after all who could deny the existence of God and a loving saviour if, once prayed for, their leg grew back or insomnia was cured or they suddenly got a lot of money. The painful truth is practically everybody. People, if so determined, will make their own answers up even if given the right one. Coincidence, triumph of will or aliens will be offered up as having the criteria fulfilling the action. The truth is people are only saved by responding to the call of God. This is why we must not rely on healing ministries, debt counselling or other compassionate works, All of which are right and the church should do, to save people and increase the Church. But on good teaching of the gospel and building peoples relationships with Jesus.


January 5th, 2011

Our new connect group for the hard of committing has a website. We’re going to try flashmobbing a small group meeting and see if it works see here

But Know

September 5th, 2010

Psalm 4:3 NASB “But know that the LORD has set apart the godly man for himself; The LORD hears when I call to him”

These are simple truths. Firstly the LORD sets apart the righteous. The righteous don’t set themselves apart. They are chosen and appointed. They are set aside for himself, for LORD AND LORD ALONE. The godly man is not some temp, calling in for a season. Farmed out to other masters as and when the need arises. The LORD hears when I call him. He is not some distant benefactor, or master who sends out decrees, he has compassion and takes interest in his people. Neither is he powerless like the gods of men. A mute symbol of fertility or possession, our LORD has power and authority to work. Remembering and digesting the simplest truths such as these can encourage, empower and sustain a believer.

Do not lose heart

August 26th, 2010

2 Cor 4:16 NASB “Therefore we do not lose heart, but though our outer man is decaying, yet our inner man is being renewed day by day”

This is truly a verse worth celebrating especially for vain man such as myself. The ravages of age come to all of us and sometimes we pine for our youthfulness, yet Paul gives us something to hold onto for the future, not only will we be getting new bodies at the last trump, but for the time being we are renewed day by day.
This small phrase also alludes to that much bigger theology of the age of the kingdom of heaven. Many preachers use explanation as the kingdom is “now, but not yet” indeed, if the kingdom of God had come in it’s fullness then surely we should have no decay, had the kingdom not come at all then by what method could we possibly be renewed?
This verse gives us comfort and strength when we see our Christian brothers and sisters weakening. In reading about John Whimbers last years many writers were struck by his frailty and stiffness of gait, and yet were repeatedly in awe with the power and peace of his teaching. I’m sure, if maybe if not from this verse but the many others which are like it, it is because John would have stood this promise.

You too Aaron

August 23rd, 2010

“Psalm 115:12 The Lord has been mindful of us; He will bless us; He will bless the house of Israel; He will bless the house of Aaron”

You would think that the house of Aaron, being the lineage of the priesthood, would be quite able to count themselves amongst the house of Israel and therefor count themselves amongst the blessed. But it’s never that straightforward. Reading in Exodus 28 we see that Aaron and his sons get given fine garments befitting the high priest, and it adds that Aarons will have a gold bells around the hem “and it’s tinkling shall be heard when he enters and leaves the place before the Lord, so that he will not die” v35
In chapter 29 you get the small matter of the sacrifices. What sacrifices the house of Aaron had made from the time of the consecration of the tabernacle to the time David penned his psalm? As the people kept sinning and returning the sacrifices would have kept being made, and the house of Aaron, I don’t doubt, would have occasionally looked on at the house of Israel and thought “how many more sacrifices must I do? How much more can they possibly sin? When is my rest?”. It was then, as I would put it, A Tough Gig.
What of today? Our house of Aaron I would argue is any Christian who sets themselves before Jesus and truly says “I am a servant to the Lord”. The sacrifices they make to the sinners in the House of Jesus seem as unending as those of the ancient priesthood, and as involved, bloody, smelly and wearisome as any animal sacrifice. But to those David singles out and sings over them a special blessing.

All those moments will be lost in time, like tears in the rain.

July 14th, 2010

Psa 56:8 NASB – You have taken account of my wanderings; Put my tears in Your bottle. Are they not in Your book?

“Time is the greatest healer” is a phrase often used to comfort people who are suffering or have recently suffered. Although I wonder if people confuse the saying with “Forgive and Forget” the subtext seemingly “After a period the pain will be a memory and memories can be forgotten”. The suffer certainly can’t take much comfort from a statement like that. What if the memory isn’t forgotten. What if the sufferer doesn’t want to forget? In the second case the ravages of time may come and steal the memory anyway leading the sufferer cause to fear time itself.
David, however, understands suffering and knows God. He had plenty to shed tears over, chased by an army, Leading a country, personal loss, promises of God having to be worked out through trials and battles, strength and guile. But David does not turn to Time and wait for his comfort, He turns to God. Knowing every arduous step and every tear shed is shared, watched and remembered full of compassion by no less than the author of the Universe. Also for us when the time comes and the last tear is wiped away the record will be opened, the believer can point to them as being a true account of life and love and loss and certainly reap with joy knowing all is overcome.


July 6th, 2010

“Ask a sign for yourself from the LORD your God; make it deep as Sheol or high as heaven.”
But Ahaz said, “I will not ask, nor will I test the LORD!” Isaiah 7:11 & 12

What outrageous contempt! Ahaz, King of Israel, under the threat of invasion, rejects Gods outstretched hand like a petulant child preferring to subject himself to the King of Assyria in exchange for aid against the aggressor. As far as choices go this seems singularly stubborn, obviously contrary, without equal in it’s attempt to cause maximum offence. The Lord here offers not only a promise of safety for his land with the eventual overthrow of the army, but is also prepared to back it up instantly with a demonstration of power of whatever miracle Ahaz can invent. Not many get such a blank canvas. Our minds can probably race full of ideas of what we would ask of God given such an opportunity. And yet Ahaz says “I will not ask” and he throws in some scripture for good measure as if that excuses his behaviour. A scripture, incidentally, we all know and can quote from another message concerning the misuse of scripture.

God does not endure this contempt. He does not hold back and Ahaz gets what’s coming to him.

Then he said, “Listen now, O house of David! Is it too slight a thing for you to try the patience of men, that you will try the patience of my God as well? “Therefore the Lord Himself will give you a sign: Behold, a virgin will be with child and bear a son, and she will call His name Immanuel.”
“He will eat curds and honey at the time He knows enough to refuse evil and choose good.” Isiah 7:13-15

There cannot possibly be a Christian who reads that and doesn’t think along the lines of “That’s my Saviour, that’s my Lord, that’s the one who broke my chains, set me free, blessed me with every blessing, walks alongside me, my joy, my comfort, my strength, my Jesus” It shouts through heaven and history. Gods sign of his love for us, the proof of his willingness to keep us secure is that he came amongst us as Immanuel, God with us. As a man, eating real food, living a real life, knowing the choices that need to be made. Understanding humanity from the inside.

To ourselves then what can we apply? We must look at ourselves honestly. It is with gladness I can say I am not like Ahaz, for he was one of the worst, and yet I do not have to go far before I find a place where I have put my assurance in something worldly over that which God offers, Where is my security? Where is my sense of belonging? Where do I go for comfort? Where do I feel best regarded? Where do I got to fulfil my wants? Is it always to God?

Ahaz, in full possession of the facts, made his choice in 2 Kings 16:17 “So Ahaz sent messengers to Tiglath-pileser king of Assyria, saying, “I am your servant and your son; come up and deliver me from the hand of the king of Aram and from the hand of the king of Israel, who are rising up against me.”

We as Christian, however, have our sign. Greater that anything Ahaz could have thought of given his opportunity. It is our assurance that we can safely put down those things we go to, thinking they will help, and find the reality of security with God.