Hi caldavd users, I was looking for a way to manage ACLs on individual calendars and came across CalDAVClientLibrary. I assume that's the recommended way of managing ACLs, is that correct? However, it seems CalDAVClientLibrary does not support Kerberos authentication. Our caldavd installation runs on Debian Lenny, using the Debian package. It is configured to use Kerberos for authentication, which works well with all calendar clients. But when I run the shell tool, I get: ./runshell.py -l --server https://server:8443 User: rziai Password: <-------- BEGIN HTTP CONNECTION --------> Server: limnos <-------- BEGIN HTTP REQUEST --------> OPTIONS /principals/users/rziai/ HTTP/1.1 Host: limnos <-------- BEGIN HTTP RESPONSE --------> HTTP/1.1 401 Unauthorized Content-Length: 141 Server: Twisted/8.1.0 TwistedWeb/[twisted.web2, version 0.2.0] DAV: 1, access-control, calendar-access, calendar-schedule, calendar-availability, inbox-availability, calendar-proxy Date: Fri, 17 Apr 2009 14:11:26 GMT Content-Type: text/html WWW-Authenticate: negotiate <html><head><title>Unauthorized</title></head><body><h1>Unauthorized</h1><p>You are not authorized to access this resource.</p></body></html> <-------- END HTTP RESPONSE --------> <-------- END HTTP CONNECTION --------> Ignoring error If it supported Kerberos, it shouldn't even ask for a password and instead just use the ticket I already have in my ticket cache. Any hints would be appreciated. Best, Ramon
Hi, I have the same problem on Ubuntu Intrepid. I think it should work with clear text passwords and sudoers, but these may not be enabled at the same time. I tried to enable clear passwords for the configuration, but I was not able to change something. Are you? Let me know if you find something out Thanks George Am 17.04.2009 um 16:15 schrieb Ramon Ziai:
Hi caldavd users,
I was looking for a way to manage ACLs on individual calendars and came across CalDAVClientLibrary. I assume that's the recommended way of managing ACLs, is that correct?
However, it seems CalDAVClientLibrary does not support Kerberos authentication. Our caldavd installation runs on Debian Lenny, using the Debian package. It is configured to use Kerberos for authentication, which works well with all calendar clients. But when I run the shell tool, I get:
./runshell.py -l --server https://server:8443 User: rziai Password:
<-------- BEGIN HTTP CONNECTION --------> Server: limnos
<-------- BEGIN HTTP REQUEST --------> OPTIONS /principals/users/rziai/ HTTP/1.1 Host: limnos
<-------- BEGIN HTTP RESPONSE --------> HTTP/1.1 401 Unauthorized Content-Length: 141 Server: Twisted/8.1.0 TwistedWeb/[twisted.web2, version 0.2.0] DAV: 1, access-control, calendar-access, calendar-schedule, calendar-availability, inbox-availability, calendar-proxy Date: Fri, 17 Apr 2009 14:11:26 GMT Content-Type: text/html WWW-Authenticate: negotiate <html><head><title>Unauthorized</title></ head><body><h1>Unauthorized</h1><p>You are not authorized to access this resource.</p></body></html> <-------- END HTTP RESPONSE -------->
<-------- END HTTP CONNECTION --------> Ignoring error
If it supported Kerberos, it shouldn't even ask for a password and instead just use the ticket I already have in my ticket cache.
Any hints would be appreciated.
Best, Ramon
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users
Hi Georg, Georg Troska schrieb:
I have the same problem on Ubuntu Intrepid. I think it should work with clear text passwords and sudoers, but these may not be enabled at the same time.
I tried to enable clear passwords for the configuration, but I was not able to change something. Are you?
that doesn't seem to work for me either. And it's a hack at best to add another less secure authentication method in order to change ACLs. Are there any plans to add Kerberos authentication to CalDAVClientLibrary? If not, I'd be willing to start hacking on that. I'm assuming I just have to add another Authenticator in protocol.http.authentication that implements the necessary methods and calls the authGSSClient* functions? Best, Ramon
Hi all, I've written some code for this problem and attached it to the following ticket: https://trac.calendarserver.org/ticket/334 This patch enables Kerberos authentication for CalDAVClientLibrary using the PyKerberos binding. It worked for me but please test whether it does so for you. The "kerberos" import is assumed to be available in the PythonPath. User and password are prompted for by the program but are not required for kerberos authentication. Best, Ramon Ramon Ziai schrieb:
Hi Georg,
Georg Troska schrieb:
I have the same problem on Ubuntu Intrepid. I think it should work with clear text passwords and sudoers, but these may not be enabled at the same time.
I tried to enable clear passwords for the configuration, but I was not able to change something. Are you?
that doesn't seem to work for me either. And it's a hack at best to add another less secure authentication method in order to change ACLs.
Are there any plans to add Kerberos authentication to CalDAVClientLibrary?
If not, I'd be willing to start hacking on that. I'm assuming I just have to add another Authenticator in protocol.http.authentication that implements the necessary methods and calls the authGSSClient* functions?
Best, Ramon
------------------------------------------------------------------------
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users
participants (2)
-
Georg Troska
-
Ramon Ziai