Need help with configuration to Open Directory
Hi all, I would really appreciate some assistance with configuring Calendar Server to work with Open Directory on OS X. I've downloaded and compiled the source which I assume was fine as I didn't receive any errors. I copied caldavd-test.plist -> caldavd- dev.plist and made the following changes... <!-- Network host name --> <key>ServerHostName</key> <string>ferrari.mydomainname.co.uk</string> My fully qualifies hostname as listed in the locally running DNS. <!-- List of IP addresses to bind to [empty = all] --> <key>BindAddresses</key> <array> <string>192.168.0.100</string> </array> IP address of the server <!-- XML File Directory Service --> <!-- <key>DirectoryService</key> <dict> <key>type</key> <string>twistedcaldav.directory.xmlfile.XMLDirectoryService</ string> <key>params</key> <dict> <key>xmlFile</key> <string>conf/accounts-test.xml</string> </dict> </dict> --> Commented this out as I want Open Directory support <!-- Open Directory Service --> <key>DirectoryService</key> <dict> <key>type</key> < string
twistedcaldav.directory.appleopendirectory.OpenDirectoryService</ string> <key>params</key> <dict> <key>node</key> <string>/Search</string> </dict> </dict>
Un-commented Open Directory Service config and left as default The remaining config left as is. My environment. OS X Server V 10.4.10 Local DNS server running Open Directory configured as Directory Master and operational. Workgroup manager connects to ferrari.mydomainname.co.u and authenticates to /LDAPv3/127.0.0.1 When I run Calendar Server I receive the following error... 2007-10-28 22:44:38+0000 [-] [caldav-8008] /Library/iCalServer/ CalendarServer/twistedcaldav/authkerb.py:50: RuntimeWarning: Python C API version mismatch for module kerberos: This Python has API version 1013, module kerberos has version 1012. 2007-10-28 22:44:38+0000 [-] [caldav-8008] import kerberos 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] Log opened. 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] twistd 2.5.0+r19773 (/ Library/Frameworks/Python.framework/Versions/2.5/Resources/Python.app/ Contents/MacOS/Python 2.5.0) starting up 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] reactor class: <class 'twisted.internet.selectreactor.SelectReactor'> 2007-10-28 22:44:38+0000 [-] [caldav-8008] [startup] Configuring directory service of type: twistedcaldav.directory.appleopendirectory.OpenDirectoryService 2007-10-28 22:44:38+0000 [-] [caldav-8008] [OpenDirectoryService] Unable to locate virtual host record: Open Directory (node=/Search) has no /Computers records with a virtual hostname: ferrari.mydomainname.co.uk 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] Traceback (most recent call last): 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "../Twisted/bin/ twistd", line 21, in <module> 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] run() 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ Twisted/twisted/scripts/twistd.py", line 27, in run 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ Twisted/twisted/application/app.py", line 379, in run 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ Twisted/twisted/scripts/twistd.py", line 23, in runApp 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ Twisted/twisted/application/app.py", line 157, in run 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ Twisted/twisted/application/app.py", line 202, in createOrGetApplication 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ CalendarServer/twistedcaldav/tap.py", line 595, in makeService 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ CalendarServer/twistedcaldav/tap.py", line 365, in makeService_Slave 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ iCalServer/CalendarServer/twistedcaldav/directory/ appleopendirectory.py", line 91, in __init__ 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] self._lookupVHostRecord() 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ iCalServer/CalendarServer/twistedcaldav/directory/ appleopendirectory.py", line 202, in _lookupVHostRecord 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] self._parseComputersRecords(records, vhostname) 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] File "/Library/ iCalServer/CalendarServer/twistedcaldav/directory/ appleopendirectory.py", line 209, in _parseComputersRecords 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] % (self.realmName, vhostname,) 2007-10-28 22:44:38+0000 [-] [caldav-8008] [-] twistedcaldav.directory.appleopendirectory.OpenDirectoryInitError: Open Directory (node=/Search) has no /Computers records with a virtual hostname: ferrari. mydomainname.co.uk Am I missing something obvious in the Calendar Server configuration? Or perhaps I need to add a user to the Open Directory??? I'm totally stumped. Any help would be greatly appreciated. Thanks in advance ~Stewart
Hi Stewart, --On October 28, 2007 10:50:47 PM +0000 Stewart Randall <stewart@srandall.co.uk> wrote:
Am I missing something obvious in the Calendar Server configuration? Or perhaps I need to add a user to the Open Directory??? I'm totally stumped. Any help would be greatly appreciated.
The OD support in the 10.5 calendar server relies on some 10.5-specific OD schema to determine which users should be enabled for the calendar service. That new schema won't be available on your 10.4 server. However, the good news is you can configure the calendar server to use OD but not require the new schema. To do that, you set the requireComputerRecord in the directory service in the .plist to <false/>. If you look at the caldavd-test.plist file you will see <key>requireComputerRecord</key> set by default to <true/>. -- Cyrus Daboo
Fantastic... that has done the job. Calendar Server is up and running and my iCal clients are connected. One final question if that's okay. Will the OD schema on 10.4 support delegation? When I try to add a user from the OD to allow write access, the user can not be found. The client is running Leopard and I've added the directory service using Directory Utility. Any ideas? Thanks, ~S On 29 Oct 2007, at 01:53, Cyrus Daboo wrote:
Hi Stewart,
--On October 28, 2007 10:50:47 PM +0000 Stewart Randall <stewart@srandall.co.uk
wrote:
Am I missing something obvious in the Calendar Server configuration? Or perhaps I need to add a user to the Open Directory??? I'm totally stumped. Any help would be greatly appreciated.
The OD support in the 10.5 calendar server relies on some 10.5- specific OD schema to determine which users should be enabled for the calendar service. That new schema won't be available on your 10.4 server.
However, the good news is you can configure the calendar server to use OD but not require the new schema. To do that, you set the requireComputerRecord in the directory service in the .plist to <false/>. If you look at the caldavd-test.plist file you will see <key>requireComputerRecord</key> set by default to <true/>.
-- Cyrus Daboo
Hi Stewart, --On October 29, 2007 8:46:01 AM +0000 Stewart Randall <stewart@srandall.co.uk> wrote:
One final question if that's okay. Will the OD schema on 10.4 support delegation? When I try to add a user from the OD to allow write access, the user can not be found. The client is running Leopard and I've added the directory service using Directory Utility.
Any ideas?
That won't work as iCal does require the schema for its delegate lookup, as far as I can tell. The only way you can manage this is by creating your own tool to setup delegate info. That basically involves changing group membership details on certain principal resources related to the user who wants to delegate. If that is done, then iCal's 'Accounts I can access' panel will list those - you just won't be able to use iCal's 'Manage Account Access' feature. (Of course the other option is to upgrade to Leopard Server :-) ). -- Cyrus Daboo
Thanks. All sounds very complicated. I want to upgrade to Leopard server but my Mac Mini only has 512MB RAM at the moment... I read that the minimum required was 1GB. :-( so will need to splash some cash on RAM before visiting the Apple store. Not too sure if I can justify the cost for this feature - just yet :-) If I could share address books as well then that would clinch it!!! Any thoughts on how best to do this without .Mac accounts? Appreciate the help. ~S On 29 Oct 2007, at 16:21, Cyrus Daboo wrote:
Hi Stewart,
--On October 29, 2007 8:46:01 AM +0000 Stewart Randall <stewart@srandall.co.uk
wrote:
One final question if that's okay. Will the OD schema on 10.4 support delegation? When I try to add a user from the OD to allow write access, the user can not be found. The client is running Leopard and I've added the directory service using Directory Utility.
Any ideas?
That won't work as iCal does require the schema for its delegate lookup, as far as I can tell.
The only way you can manage this is by creating your own tool to setup delegate info. That basically involves changing group membership details on certain principal resources related to the user who wants to delegate. If that is done, then iCal's 'Accounts I can access' panel will list those - you just won't be able to use iCal's 'Manage Account Access' feature.
(Of course the other option is to upgrade to Leopard Server :-) ).
-- Cyrus Daboo
Cyrus Daboo-3 wrote:
That won't work as iCal does require the schema for its delegate lookup, as far as I can tell.
The only way you can manage this is by creating your own tool to setup delegate info. That basically involves changing group membership details on certain principal resources related to the user who wants to delegate. If that is done, then iCal's 'Accounts I can access' panel will list those - you just won't be able to use iCal's 'Manage Account Access' feature.
(Of course the other option is to upgrade to Leopard Server :-) ).
Is it not possible to simply extend the schema on a Tiger OD master? I gave it a brief try by copying teh apple.schema from a Leopard server, but I got a duplicate OID error that I could not resolve so I had to go back (live server). I'd reallyy like the full functionality of iCal (and web services) without having to upgrade my OD master to Leopard. -matthew -- View this message in context: http://www.nabble.com/Need-help-with-configuration-to-Open-Directory-tf47087... Sent from the Calendar Server - Users mailing list archive at Nabble.com.
On Nov 5, 2007, at 6:22 PM, misleb wrote:
Cyrus Daboo-3 wrote:
That won't work as iCal does require the schema for its delegate lookup, as far as I can tell.
The only way you can manage this is by creating your own tool to setup delegate info. That basically involves changing group membership details on certain principal resources related to the user who wants to delegate. If that is done, then iCal's 'Accounts I can access' panel will list those - you just won't be able to use iCal's 'Manage Account Access' feature.
(Of course the other option is to upgrade to Leopard Server :-) ).
Is it not possible to simply extend the schema on a Tiger OD master? I gave it a brief try by copying teh apple.schema from a Leopard server, but I got a duplicate OID error that I could not resolve so I had to go back (live server).
I'd reallyy like the full functionality of iCal (and web services) without having to upgrade my OD master to Leopard.
This is possible. I did it a while back on Tiger and posted some of the results to this list. At the time though the whole project was in such a state of developmental flux that it was a moving target. (It turned out great though!) When adding schema you really should get your own OID. When I was messing with this I got one for AFP548.com. It was just a simple web form that took a few days to get back. Josh -- Josh Wisenbaker, ACSA http://www.afp548.com We're the M in RTFM.
On Nov 6, 2007, at 7:21 AM, Josh Wisenbaker wrote:
When adding schema you really should get your own OID. When I was messing with this I got one for AFP548.com. It was just a simple web form that took a few days to get back.
It occurs to me that I should provide a link here... <http://pen.iana.org/pen/PenApplication.page> Josh -- Josh Wisenbaker, ACSA http://www.afp548.com We're the M in RTFM.
Josh Wisenbaker wrote:
Is it not possible to simply extend the schema on a Tiger OD master? I gave it a brief try by copying teh apple.schema from a Leopard server, but I got a duplicate OID error that I could not resolve so I had to go back (live server).
I'd reallyy like the full functionality of iCal (and web services) without having to upgrade my OD master to Leopard.
This is possible. I did it a while back on Tiger and posted some of the results to this list. At the time though the whole project was in such a state of developmental flux that it was a moving target. (It turned out great though!)
When adding schema you really should get your own OID. When I was messing with this I got one for AFP548.com. It was just a simple web form that took a few days to get back.
Why write my own schema when there's a prefectly good apple.schema on my Leopard server with all the appropriate OIDs defined? Or are you saying use the Leopard apple.schema as a reference and just swap in my own OIDs to avoid the conflicts that I had? Isn't there a a schema file that I could download from someone else who's extended the Tiger schema to work with Leopard server? -- View this message in context: http://www.nabble.com/Need-help-with-configuration-to-Open-Directory-tf47087... Sent from the Calendar Server - Users mailing list archive at Nabble.com.
On Nov 6, 2007, at 12:52 PM, misleb wrote:
Josh Wisenbaker wrote:
Is it not possible to simply extend the schema on a Tiger OD master? I gave it a brief try by copying teh apple.schema from a Leopard server, but I got a duplicate OID error that I could not resolve so I had to go back (live server).
I'd reallyy like the full functionality of iCal (and web services) without having to upgrade my OD master to Leopard.
This is possible. I did it a while back on Tiger and posted some of the results to this list. At the time though the whole project was in such a state of developmental flux that it was a moving target. (It turned out great though!)
When adding schema you really should get your own OID. When I was messing with this I got one for AFP548.com. It was just a simple web form that took a few days to get back.
Why write my own schema when there's a prefectly good apple.schema on my Leopard server with all the appropriate OIDs defined?
Or are you saying use the Leopard apple.schema as a reference and just swap in my own OIDs to avoid the conflicts that I had?
Isn't there a a schema file that I could download from someone else who's extended the Tiger schema to work with Leopard server?
Using the apple schema file is probably the easiest, although you are probably going to just want to pick the extra attributes that you need. If you are adding in your own additions that are based on, but not actually, the Apple ones it may be best to get your own private enterprise number. When I was messing with all of this the Leopard schema wasn't public, so that was the route I had to take. Josh -- Josh Wisenbaker, ACSA http://www.afp548.com Breaking my server to save yours.
participants (4)
-
Cyrus Daboo
-
Josh Wisenbaker
-
misleb
-
Stewart Randall