Hi, I'm having trouble accessing group calendars. So far I've implemented a custom directory service tied to my application, but when a member tries to access their group's calendar, I get a "403 Forbidden" response. The custom directory service is properly returning the set of members for the group and then the DirectoryRecords for each member in the group. I've verified that the groupMembers() method in principal.py returns the proper DirectoryPrincipalResources of the members as well. I don't know if it's an issue with the directory service, but I thought I'd mention it anyway. Can someone please explain what I'm missing? - Tyler Keating
Hi,
I'm having trouble accessing group calendars. So far I've implemented a custom directory service tied to my application, but when a member tries to access their group's calendar, I get a "403 Forbidden" response. The custom directory service is properly returning the set of members for the group and then the DirectoryRecords for each member in the group. I've verified that the groupMembers() method in principal.py returns the proper DirectoryPrincipalResources of the members as well. I don't know if it's an issue with the directory service, but I thought I'd mention it anyway.
Can someone please explain what I'm missing?
- Tyler Keating
I just noticed that I haven't implemented 'guid' in my directory service (which was based on an older version of sqldb). Maybe this is the issue? I'll get to work adding it anyhow. - Tyler
If the GUID is the issue for this problem, could it also be the issue for mine (http://trac.macosforge.org/projects/calendarserver/ticket/ 134). One of the first log messages I get when I connect is
2007/02/27 19:16 -0400 [HTTPChannel,0,127.0.0.1] GET / HTTP/1.1 2007/02/27 19:17 -0400 [HTTPChannel,1,127.0.0.1] GET /holidays.ics HTTP/1.1 2007/02/27 19:17 -0400 [HTTPChannel,2,127.0.0.1] GET /holidays.ics HTTP/1.1 2007/02/27 19:17 -0400 [HTTPChannel,2,127.0.0.1] "Directory service <XMLDirectoryService 'Test Realm': FilePath('/repository/svn/ CalendarServer/conf/accounts-test.xml')> has no GUID; generating service GUID from realm name." 2007/02/27 19:17 -0400 [HTTPChannel,2,127.0.0.1] "Attempt to create clone '/repository/svn/CalendarServer/twistedcaldav/test/data/ principals/user' of resource <DirectoryPrincipalProvisioningResource: /repository/svn/ CalendarServer/twistedcaldav/test/data/principals>"
On Feb 27, 2007, at 5:51 PM, Tyler Keating wrote:
Hi,
I'm having trouble accessing group calendars. So far I've implemented a custom directory service tied to my application, but when a member tries to access their group's calendar, I get a "403 Forbidden" response. The custom directory service is properly returning the set of members for the group and then the DirectoryRecords for each member in the group. I've verified that the groupMembers() method in principal.py returns the proper DirectoryPrincipalResources of the members as well. I don't know if it's an issue with the directory service, but I thought I'd mention it anyway.
Can someone please explain what I'm missing?
- Tyler Keating
I just noticed that I haven't implemented 'guid' in my directory service (which was based on an older version of sqldb). Maybe this is the issue? I'll get to work adding it anyhow.
- Tyler_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/calendarserver-users
-- Gary Warren King, metabang.com Cell: (413) 885 9127 Fax: (206) 338-4052 gwkkwg on Skype * garethsan on AIM
On Feb 27, 2007, at 5:51 PM, Tyler Keating wrote:
Hi,
I'm having trouble accessing group calendars. So far I've implemented a custom directory service tied to my application, but when a member tries to access their group's calendar, I get a "403 Forbidden" response. The custom directory service is properly returning the set of members for the group and then the DirectoryRecords for each member in the group. I've verified that the groupMembers() method in principal.py returns the proper DirectoryPrincipalResources of the members as well. I don't know if it's an issue with the directory service, but I thought I'd mention it anyway.
Can someone please explain what I'm missing?
- Tyler Keating
I just noticed that I haven't implemented 'guid' in my directory service (which was based on an older version of sqldb). Maybe this is the issue? I'll get to work adding it anyhow.
- Tyler
On 27-Feb-07, at 5:18 PM, Gary King wrote:
If the GUID is the issue for this problem, could it also be the issue for mine (http://trac.macosforge.org/projects/calendarserver/ ticket/134). One of the first log messages I get when I connect is
2007/02/27 19:16 -0400 [HTTPChannel,0,127.0.0.1] GET / HTTP/1.1 2007/02/27 19:17 -0400 [HTTPChannel,1,127.0.0.1] GET /holidays.ics HTTP/1.1 2007/02/27 19:17 -0400 [HTTPChannel,2,127.0.0.1] GET /holidays.ics HTTP/1.1 2007/02/27 19:17 -0400 [HTTPChannel,2,127.0.0.1] "Directory service <XMLDirectoryService 'Test Realm': FilePath('/repository/ svn/CalendarServer/conf/accounts-test.xml')> has no GUID; generating service GUID from realm name." 2007/02/27 19:17 -0400 [HTTPChannel,2,127.0.0.1] "Attempt to create clone '/repository/svn/CalendarServer/twistedcaldav/test/ data/principals/user' of resource <DirectoryPrincipalProvisioningResource: /repository/svn/ CalendarServer/twistedcaldav/test/data/principals>"
My brain is seriously fried right now, but I'm pretty sure that the 'guid' for each record doesn't actually matter, since I see that it is auto-generated. For your issue, you need to add a guid property in your DirectoryService implementation, like 'guid = "012345678-9abc- def0-1234-56789abcdef0"'. - Tyler
Hi Tyler, --On February 27, 2007 4:41:10 PM -0600 Tyler Keating <tylerkeating@mac.com> wrote:
I'm having trouble accessing group calendars. So far I've implemented a custom directory service tied to my application, but when a member tries to access their group's calendar, I get a "403 Forbidden" response. The custom directory service is properly returning the set of members for the group and then the DirectoryRecords for each member in the group. I've verified that the groupMembers() method in principal.py returns the proper DirectoryPrincipalResources of the members as well. I don't know if it's an issue with the directory service, but I thought I'd mention it anyway.
Can someone please explain what I'm missing?
To check whether principals and group memberships are setup properly, use a browser and view the /principals hierarchy there. When you click on a principal the server will generate an HTML page with some (really) useful information on it. So check that your groups do appear under /principals and that their membership looks right. Also check the regular principals that are members of a group to verify they show themselves as belonging to it. If the principal all look OK, then next thing to check is the ACLs on the resources you are trying to access. For that you may need to probe with a WebDAV client that allows you to inspect the ACL property (you will likely need to do that as the admin user). -- Cyrus Daboo
Cyrus,
I'm having trouble accessing group calendars. So far I've implemented a custom directory service tied to my application, but when a member tries to access their group's calendar, I get a "403 Forbidden" response. The custom directory service is properly returning the set of members for the group and then the DirectoryRecords for each member in the group. I've verified that the groupMembers() method in principal.py returns the proper DirectoryPrincipalResources of the members as well. I don't know if it's an issue with the directory service, but I thought I'd mention it anyway.
Can someone please explain what I'm missing?
To check whether principals and group memberships are setup properly, use a browser and view the /principals hierarchy there. When you click on a principal the server will generate an HTML page with some (really) useful information on it. So check that your groups do appear under /principals and that their membership looks right. Also check the regular principals that are members of a group to verify they show themselves as belonging to it.
If the principal all look OK, then next thing to check is the ACLs on the resources you are trying to access. For that you may need to probe with a WebDAV client that allows you to inspect the ACL property (you will likely need to do that as the admin user).
As always, I really appreciate your quick response. I think I'm on the right track now at least, but unfortunately, I haven't figured this one out on my own. For example, when I try to view my group principal in the browser, I get the following error (or vice versa on the user principal): Unhandled Error Traceback (most recent call last): File "/Users/admin/Developer/Collaboration/Twisted/twisted/ internet/defer.py", line 191, in addCallback callbackKeywords=kw) File "/Users/admin/Developer/Collaboration/Twisted/twisted/ internet/defer.py", line 182, in addCallbacks self._runCallbacks() File "/Users/admin/Developer/Collaboration/Twisted/twisted/ internet/defer.py", line 317, in _runCallbacks self.result = callback(self.result, *args, **kw) File "/Users/admin/Developer/Collaboration/Twisted/twisted/ internet/defer.py", line 663, in unwindGenerator return _deferGenerator(f(*args, **kwargs)) --- <exception caught here> --- File "/Users/admin/Developer/Collaboration/Twisted/twisted/ internet/defer.py", line 623, in _deferGenerator result = g.next() File "/Users/admin/Developer/Collaboration/CalendarServer/ twistedcaldav/extensions.py", line 269, in gotProperties property = property.getResult() File "/Users/admin/Developer/Collaboration/Twisted/twisted/ internet/defer.py", line 609, in getResult self.result.raiseException() File "/Users/admin/Developer/Collaboration/Twisted/twisted/ python/failure.py", line 259, in raiseException raise self.type, self.value, self.tb exceptions.AssertionError: Not an element: <DirectoryPrincipalResource: /Users/admin/Developer/Collaboration/ CalendarServer/data/principals/users/keating> I'll keep looking into it on my own, but thought I'd throw this error message back to you first, in case the problem becomes apparent and you've got a quick answer. Plus the ACLs all look okay, but I have no experience with ACLs. Which ACE does a group's member fall under? Thanks, - Tyler Keating
Good news. I did a clean install of the CalendarServer and libraries and this fixed the problem. I will be sure to try this first next time. - Tyler Keating On 28-Feb-07, at 4:37 PM, Tyler Keating wrote:
Cyrus,
I'm having trouble accessing group calendars. So far I've implemented a custom directory service tied to my application, but when a member tries to access their group's calendar, I get a "403 Forbidden" response. The custom directory service is properly returning the set of members for the group and then the DirectoryRecords for each member in the group. I've verified that the groupMembers() method in principal.py returns the proper DirectoryPrincipalResources of the members as well. I don't know if it's an issue with the directory service, but I thought I'd mention it anyway.
Can someone please explain what I'm missing?
To check whether principals and group memberships are setup properly, use a browser and view the /principals hierarchy there. When you click on a principal the server will generate an HTML page with some (really) useful information on it. So check that your groups do appear under /principals and that their membership looks right. Also check the regular principals that are members of a group to verify they show themselves as belonging to it.
If the principal all look OK, then next thing to check is the ACLs on the resources you are trying to access. For that you may need to probe with a WebDAV client that allows you to inspect the ACL property (you will likely need to do that as the admin user).
As always, I really appreciate your quick response. I think I'm on the right track now at least, but unfortunately, I haven't figured this one out on my own. For example, when I try to view my group principal in the browser, I get the following error (or vice versa on the user principal):
Unhandled Error Traceback (most recent call last): File "/Users/admin/Developer/Collaboration/Twisted/ twisted/internet/defer.py", line 191, in addCallback callbackKeywords=kw) File "/Users/admin/Developer/Collaboration/Twisted/ twisted/internet/defer.py", line 182, in addCallbacks self._runCallbacks() File "/Users/admin/Developer/Collaboration/Twisted/ twisted/internet/defer.py", line 317, in _runCallbacks self.result = callback(self.result, *args, **kw) File "/Users/admin/Developer/Collaboration/Twisted/ twisted/internet/defer.py", line 663, in unwindGenerator return _deferGenerator(f(*args, **kwargs)) --- <exception caught here> --- File "/Users/admin/Developer/Collaboration/Twisted/ twisted/internet/defer.py", line 623, in _deferGenerator result = g.next() File "/Users/admin/Developer/Collaboration/CalendarServer/ twistedcaldav/extensions.py", line 269, in gotProperties property = property.getResult() File "/Users/admin/Developer/Collaboration/Twisted/ twisted/internet/defer.py", line 609, in getResult self.result.raiseException() File "/Users/admin/Developer/Collaboration/Twisted/ twisted/python/failure.py", line 259, in raiseException raise self.type, self.value, self.tb exceptions.AssertionError: Not an element: <DirectoryPrincipalResource: /Users/admin/Developer/Collaboration/ CalendarServer/data/principals/users/keating>
I'll keep looking into it on my own, but thought I'd throw this error message back to you first, in case the problem becomes apparent and you've got a quick answer. Plus the ACLs all look okay, but I have no experience with ACLs. Which ACE does a group's member fall under?
Thanks, - Tyler Keating
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/calendarserver-users
participants (3)
-
Cyrus Daboo
-
Gary King
-
Tyler Keating