Re: [CalendarServer-users] Users in LDAP: restrictEnabledRecords not working?
Actually, the LDAP implementation for the restrictToGroup feature is pretty broken. I just checked in a fix: https://trac.calendarserver.org/changeset/9741/CalendarServer/trunk On Aug 23, 2012, at 8:43 AM, Morgen Sagen <morgen@apple.com> wrote:
This looks like a bug. The LDAP server we test against has an LDAP attribute specifically for nested groups, so we've not run into this problem. If you want to fix ldapdirectory.py by hand you could add "nestedGroups = []" just above the "if len(result) == 1" line in the restrictedGUIDs( ) method, and make sure the new line is at the same indention as the "if" statement. I'll fix this in svn.
On Aug 23, 2012, at 8:32 AM, tobiasbp <tobiasbp@gmail.com> wrote:
I'm running calendarserver 3.2 with the packages available in Debian Wheezy (Unstable). I have my users and groups in LDAP.
I can list my users and groups using the command "calendarserver_manage_principals".
I would like to restrict calendar users to members of group "calendar_admins"
I update my caldavd.plist liek this:
<key>restrictEnabledRecords</key> <true/> <key>restrictToGroup</key> <string>calendar_admins</string>
After the change, I can no longer list my users:
su caldavd -p -c "calendarserver_manage_principals --list-principals users"
Traceback (most recent call last): File "/usr/bin/calendarserver_manage_principals", line 32, in <module> main() File "/usr/lib/python2.7/dist-packages/calendarserver/tools/principals.py", line 303, in main records = list(config.directory.listRecords(listPrincipals)) File "/usr/lib/python2.7/dist-packages/twistedcaldav/directory/aggregate.py", line 115, in listRecords records = self._query("listRecords", recordType) File "/usr/lib/python2.7/dist-packages/twistedcaldav/directory/aggregate.py", line 192, in _query *[a[len(service.recordTypePrefix):] for a in args] File "/usr/lib/python2.7/dist-packages/twistedcaldav/directory/ldapdirectory.py", line 320, in listRecords if self.restrictedGUIDs is not None: File "/usr/lib/python2.7/dist-packages/twistedcaldav/directory/ldapdirectory.py", line 525, in restrictedGUIDs self._cachedRestrictedGUIDs = set(self._expandGroupMembership(members, nestedGroups, returnGroups=True)) UnboundLocalError: local variable 'nestedGroups' referenced before assignment
Turning off restrictEnabledRecords again like this lets me list my users again: <key>restrictEnabledRecords</key> <false/>
Any ideas? Looks like a bug to me. _______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/calendarserver-users
Actually, the LDAP implementation for the restrictToGroup feature is pretty broken. I just checked in a fix:
https://trac.calendarserver.org/changeset/9741/CalendarServer/trunk
I replaced the original version of ldapdirectory.py (On Debian Wheezy) with your new version if ldapdirectory. Listing my users now throws this error: Traceback (most recent call last): File "/usr/bin/calendarserver_manage_principals", line 32, in <module> main() File "/usr/lib/python2.7/dist-packages/calendarserver/tools/principals.py", line 250, in main config.directory = getDirectory() File "/usr/lib/python2.7/dist-packages/calendarserver/tools/util.py", line 141, in getDirectory BaseDirectoryService = namedClass(config.DirectoryService.type) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 351, in namedObject module = namedModule('.'.join(classSplit[:-1])) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 339, in namedModule topLevel = __import__(name) File "/usr/lib/python2.7/dist-packages/twistedcaldav/directory/ldapdirectory.py", line 59, in <module> from twistedcaldav.directory.util import splitIntoBatches ImportError: cannot import name splitIntoBatches Looks like the my version of twisted does not have "splitIntoBatches". Maybe this section in the new code could be rewritten to not use "splitIntoBatches" for better compatability?: for batch in splitIntoBatches(valuesToFetch, self.batchSize): fields = [] for value in batch: fields.append([attributeToSearch, value, False, "equals"]) result = (yield self.recordsMatchingFields(fields, recordType=self.recordType_groups)) results.extend(result) Seems like that is the only code using "splitIntoBatches".
Yeah, you can't mix and match individual files from various versions. I recommend you don't try using restrictToGroup with LDAP until Debian can update the entire project to the new code. On Aug 24, 2012, at 12:09 AM, tobiasbp <tobiasbp@gmail.com> wrote:
Actually, the LDAP implementation for the restrictToGroup feature is pretty broken. I just checked in a fix:
https://trac.calendarserver.org/changeset/9741/CalendarServer/trunk
I replaced the original version of ldapdirectory.py (On Debian Wheezy) with your new version if ldapdirectory.
Listing my users now throws this error: Traceback (most recent call last): File "/usr/bin/calendarserver_manage_principals", line 32, in <module> main() File "/usr/lib/python2.7/dist-packages/calendarserver/tools/principals.py", line 250, in main config.directory = getDirectory() File "/usr/lib/python2.7/dist-packages/calendarserver/tools/util.py", line 141, in getDirectory BaseDirectoryService = namedClass(config.DirectoryService.type) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 351, in namedObject module = namedModule('.'.join(classSplit[:-1])) File "/usr/lib/python2.7/dist-packages/twisted/python/reflect.py", line 339, in namedModule topLevel = __import__(name) File "/usr/lib/python2.7/dist-packages/twistedcaldav/directory/ldapdirectory.py", line 59, in <module> from twistedcaldav.directory.util import splitIntoBatches ImportError: cannot import name splitIntoBatches
Looks like the my version of twisted does not have "splitIntoBatches".
Maybe this section in the new code could be rewritten to not use "splitIntoBatches" for better compatability?:
for batch in splitIntoBatches(valuesToFetch, self.batchSize): fields = [] for value in batch: fields.append([attributeToSearch, value, False, "equals"]) result = (yield self.recordsMatchingFields(fields, recordType=self.recordType_groups)) results.extend(result)
Seems like that is the only code using "splitIntoBatches".
participants (2)
-
Morgen Sagen
-
tobiasbp