[CalendarServer-users] Client library and admin tool
Scott Buchanan
dscottbuch at mac.com
Wed Apr 2 18:44:35 PDT 2008
Cyrus,
That makes sense (I've done enough ACL's to at least get the
principle). It would be nice to find a tutorial with, or without, the
GUI.
On Apr 2, 2008, at 6:31 PM, Cyrus Daboo wrote:
> Hi Scott,
>
> --On April 2, 2008 5:50:14 PM -0700 Scott Buchanan
> <dscottbuch at mac.com> wrote:
>
>> I've installed the CS on a Tiger server and everything is working. I
>> want to use the calendars for the groups (our SW group for example)
>> and
>> this works fine BUT I don't want individuals of the group to be
>> able to
>> delete the entire calendar which is very easy to do by mistake from
>> iCal
>> for example. They need to be able to add and edit events, but not
>> the
>> whole calendar.
>>
>> The only way I can see to do this is to somehow edit the acl for the
>> .../swgroup/calendar/ directory so that it can not be deleted but
>> I'm
>> not enough of an expert on ACL's in general, and DAV acls in
>> particular.
>
> Ok, this is one of the more complex parts of WebDAV ACLs.
>
> Bottom line is you need to deny the DAV:unbind privilege on the
> parent of the calendar. That will prevent the specified users from
> deleting anything within that parent collection.
>
> Something like this would work:
>
> 1. Start the shell:
>
>> ./runshell.py --server=... --user=... --password=...
>
> 2. Navigate to the parent directory of the calendars you want to
> "protect":
>
> / > cd /calendars/groups/testgroup
>
> 3. Run the ACL interactive mode:
>
> /calendars/groups/testgroup > acl -i
>
> 4. Use the add command:
>
> ACL > add
>
> 5. You will then get a list of existing privileges. You will
> probably want to insert the the one to block deletes above all the
> existing ones as the order of privileges counts when determining
> access. So enter 1:
>
> Add ACL before [1 - 7] or cancel [q]: 1
>
> 6. You will then get prompted for a "principal type". This
> determines who the new privilege will apply to. In this case we want
> it to apply to everyone in a specific group, so enter 1:
>
> Select type: 1
>
> 7. You will then get prompted to enter the principal path, so enter
> the path to the group you want to "block":
>
> Enter principal path: /principals/groups/swgroup
>
> 8. In WebDAV you can have the privilege apply to the specified
> principal or apply to all principals that do not match that
> (invert). In this case we want the former so enter n:
>
> Invert principal [y/n]: n
>
> 9. Next the prompt is for whether a privilege is being granted or
> denied. In this case we want deny, so enter d:
>
> Grant or Deny privileges [g/d]: d
>
> 10. Then the prompt will be list of all the privileges that can be
> denied. In this case you want DAV:unbind so enter i:
>
> Select multiple items: i
>
> 11. At that point the shell tool should write out the new
> privileges. Use the list command to verify it is there. Then, as a
> member of the group try to delete a calendar. Hopefully you won't be
> able to!
>
> As you can see there are a lot of steps involved in managing ACLs
> and you do need to understand how the order and sets of privileges
> and invert, grant/deny etc all work.
>
> Of course one could write a GUI for this that would just give a set
> of checkboxes to check off and it would look at lot easier than the
> command line approach.
>
> --
> Cyrus Daboo
>
More information about the calendarserver-users
mailing list