Setting permissions or ACLs on calendarserver.
I am currently running calendarserver on an OSX server and I am using XMLDirectoryService. I have figured out how to add Principals to the accounts.xml file. When I look at the server using a web browser I can see all the users accounts. But when I browse to another users calendar cannot see their calendar. If I browse to my own calendar then I can see it just fine. I am guessing that I need to configure something along the lines of ACLs. I cannot find any documentation that allows me to configure to allow a person to read or edit another users calendar. Nor can I read another persons calendar. Is there documentation on how to set this up. I would use the Open Directory service but have not found out how to integrate it into our OD system. ----------------------------------------------------------------------- MacCafe 5610 Monroe St. Sylvania, OH 43613 Eric Naujock - ACSA 10.2,10.3, 10.4 Apple Sales Professional Phone:419-885-1240 X 241 http://www.mac-cafe.com e-mail: naujocke@mac-cafe.com AOL IM: erlic
The server is set up such that a user's calendars are only readable by that user. This can be modified (by that user) using WebDAV ACLs, though there aren't really any clients around that do that, as far as I'm aware, and we don't have any tools for that at the moment, as we've been concentrating on the basic calendaring use cases and not on more complex configurations. If you need to see other user's calendars, the only easy way to do that is to grant yourself administrative access on the server, but that let's you edit the calendars as well as view them, so it's not something you typically want to grant all users. You can do that in caldavd.plist; just add your principal URL to the list of admin principals. -wsv On May 18, 2007, at 1:56 PM, Mr. Eric Eugene Naujock wrote:
I am currently running calendarserver on an OSX server and I am using XMLDirectoryService. I have figured out how to add Principals to the accounts.xml file. When I look at the server using a web browser I can see all the users accounts. But when I browse to another users calendar cannot see their calendar. If I browse to my own calendar then I can see it just fine. I am guessing that I need to configure something along the lines of ACLs. I cannot find any documentation that allows me to configure to allow a person to read or edit another users calendar. Nor can I read another persons calendar. Is there documentation on how to set this up. I would use the Open Directory service but have not found out how to integrate it into our OD system.
— Wilfredo Sánchez - wsanchez@apple.com Apple Inc. - Collaboration Services
The server is set up such that a user's calendars are only readable by that user.
This can be modified (by that user) using WebDAV ACLs, though there aren't really any clients around that do that, as far as I'm aware, and we don't have any tools for that at the moment, as we've been concentrating on the basic calendaring use cases and not on more complex configurations.
Do you mean that CalDAV ACL are already implemented on the server side ? As far as i remember CalDAV ACLs are applicable not only on a calendar object (which is a collection of events in webdav speaking) but ACLs can be set event by event. Does Darwin Calendar Server implement this fully ? The only problem to exploit this come from client side ?
We believe that's the case. :-) That is, we've implemented it, and have some tests, but since we lack real clients that use it, it's hard to know for sure that the implementation is satisfactory as-is. Obviously, we'd love to see that change. Note that some resources do not allow editing of ACLs. This may be true for some of the base hierarchy (eg /calendars), since we don't necessarily want to let those get into a "broken" state. Additionally, your home calendar will give you DAV:all access which is protected, meaning that you can't (that is, shouldn't be, unless there is a bug) remove that privilege from a calendar home's owner. The strategy that we've been pursuing to date in regarding ACL controls for calendar resources and their containers is to avoid doing ACL operations on individual calendar resources, and stick to editing ACLs for calendar collections. The server will allow you to do either, but I will bet that this will confuse some, if not many, clients. ACLs are presently still a pretty bleeding-edge concept, and I think getting too funky with them may be tricky. So things like giving a friend read access to a calendar should be straighforward, but doing that for individual events has a lot of oddball corner-case issues, I think. We think the server does sane things here, but again, without real use cases, it's hard to know for sure, and I don't expect that clients will necessary cope well. Note also that we have a notion of "proxy groups". Each principal on the server has two such groups associated with it, a read proxy group, and a read/write proxy group. The ACLs are already set up appropriately for these groups on each calendar collection, on the theory that editing the group membership is simpler than monkeying with ACLs. Again, real-world usage will bear out how well that works. One limitation is that this applies to all of your calendars, and not just some. Hope this helps. -wsv On May 30, 2007, at 12:36 AM, mwacker@linagora.com wrote:
Do you mean that CalDAV ACL are already implemented on the server side ? As far as i remember CalDAV ACLs are applicable not only on a calendar object (which is a collection of events in webdav speaking) but ACLs can be set event by event. Does Darwin Calendar Server implement this fully ?
The only problem to exploit this come from client side ?
— Wilfredo Sánchez - wsanchez@wsanchez.net
participants (4)
-
Mr. Eric Eugene Naujock
-
mwacker@linagora.com
-
Wilfredo Sánchez Vega
-
Wilfredo Sánchez Vega