Cyrus,

I'm having trouble accessing group calendars.  So far I've implemented a
custom directory service tied to my application, but when a member tries
to access their group's calendar, I get a "403 Forbidden" response.  The
custom directory service is properly returning the set of members for the
group and then the DirectoryRecords for each member in the group.  I've
verified that the groupMembers() method in principal.py returns the
proper DirectoryPrincipalResources of the members as well.  I don't know
if it's an issue with the directory service, but I thought I'd mention it
anyway.

Can someone please explain what I'm missing?

To check whether principals and group memberships are setup properly, use a browser and view the /principals hierarchy there. When you click on a principal the server will generate an HTML page with some (really) useful information on it. So check that your groups do appear under /principals and that their membership looks right. Also check the regular principals that are members of a group to verify they show themselves as belonging to it.

If the principal all look OK, then next thing to check is the ACLs on the resources you are trying to access. For that you may need to probe with a WebDAV client that allows you to inspect the ACL property (you will likely need to do that as the admin user).

As always, I really appreciate your quick response.  I think I'm on the right track now at least, but unfortunately, I haven't figured this one out on my own.  For example, when I try to view my group principal in the browser, I get the following error (or vice versa on the user principal):

Unhandled Error
        Traceback (most recent call last):
          File "/Users/admin/Developer/Collaboration/Twisted/twisted/internet/defer.py", line 191, in addCallback
            callbackKeywords=kw)
          File "/Users/admin/Developer/Collaboration/Twisted/twisted/internet/defer.py", line 182, in addCallbacks
            self._runCallbacks()
          File "/Users/admin/Developer/Collaboration/Twisted/twisted/internet/defer.py", line 317, in _runCallbacks
            self.result = callback(self.result, *args, **kw)
          File "/Users/admin/Developer/Collaboration/Twisted/twisted/internet/defer.py", line 663, in unwindGenerator
            return _deferGenerator(f(*args, **kwargs))
        --- <exception caught here> ---
          File "/Users/admin/Developer/Collaboration/Twisted/twisted/internet/defer.py", line 623, in _deferGenerator
            result = g.next()
          File "/Users/admin/Developer/Collaboration/CalendarServer/twistedcaldav/extensions.py", line 269, in gotProperties
            property = property.getResult()
          File "/Users/admin/Developer/Collaboration/Twisted/twisted/internet/defer.py", line 609, in getResult
            self.result.raiseException()
          File "/Users/admin/Developer/Collaboration/Twisted/twisted/python/failure.py", line 259, in raiseException
            raise self.type, self.value, self.tb
        exceptions.AssertionError: Not an element: <DirectoryPrincipalResource: /Users/admin/Developer/Collaboration/CalendarServer/data/principals/users/keating>

I'll keep looking into it on my own, but thought I'd throw this error message back to you first, in case the problem becomes apparent and you've got a quick answer.  Plus the ACLs all look okay, but I have no experience with ACLs.  Which ACE does a group's member fall under?

Thanks,
- Tyler Keating