From 389 Directory Server

Contents 1 Windows Console 1.1 Building 1.2 Firewall Information 1.3 TLS/SSL

Windows Console

Fedora Directory Server provides a console package for use on Windows, in the form of a file called FedoraConsole.msi.

Building

Prerequisities:

• Windows Installer XML (WiX) toolset - http://wix.sourceforge.net/
• NSPR DLL libraries
• NSS DLL libraries, and the certutil and pk12util commands
• JSS DLL and JAR
• LDAPJDK JAR
• idm-console-framework JAR files
• fedora-idm-console JAR file
• Optional - The Windows Support Tools package for your platform
  • The build will use the bitsadmin program from this package to download packages if available
• The nmake command - usually provided with the Visual Studio or Visual C++ or Windows SDK packages

Source:

• CVS - cvs -d ":pserver:anonymous@cvs.fedoraproject.org:/cvs/dirsec" co -r TAG fedora-idm-console
  • The latest TAG is FedoraIDMConsole_1_1_3
• tar ball - http://directory.fedoraproject.org/sources/fedora-idm-console-VERSION.tar.bz2
  • The latest VERSION is 1.1.3

Build: The build uses a regular CMD shell - no cygwin, msys, etc. are required.

• open a CMD window
• cd to the directory containing the source, then to the "win" subdirectory
• nmake help - will give you some basic instructions as well as information about how to specify the local path to NSPR, NSS, etc. if the download fails
• nmake download - will attempt to download the prerequisites listed above using bitsadmin from the Support Tools package - it tries to use c:\program files\support tools\bitsadmin
• nmake layout - will create the layout used for packaging
• nmake all - will create the FedoraConsole.msi package

The FedoraConsole.msi and other files built by nmake will be found in the build.PLATFORM directory, where PLATFORM by default is WINNT5.0_OPT.OBJ.

Firewall Information

You may have to punch two or three holes in the FireWall (iptables) before the Windows Console will work.

This can happen when SELINUX is set to "disabled" but SELINUXTYPE is set to "targeted" in /etc/sysconfig/selinux, not sure why?

# cat /etc/sysconfig/selinux
SELINUX=disabled
SELINUXTYPE=targeted

One hole for port 389 (ldap), one hole for port 636 (ldaps - only if using TLS/SSL with the console -see below), and the other for the admin server port (9830 by default).

# vi /etc/sysconfig/iptables

Add two lines:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT

Then restart the firewall:

# service iptables restart

TLS/SSL

By default, the console expects your key and cert database files in $HOME/.fedora-idm-console. On Windows, this is usually something like C:\Documents and Settings\<username>\.fedora-idm-console. So when you use the NSS command line utilities like certutil and pk12util, use the -d argument like this:

certutil -A -d "C:\Documents and Settings\<username>\.fedora-idm-console" -n "CA Certificate" -t CT,, -i cacert.asc -a

for example, to add the CA cert from the file cacert.asc encoded in ASCII (PEM) format. Now your Console running on Windows should be able to use https and ldaps.