[CalendarServer-users] Client library and admin tool

Cyrus Daboo cdaboo at apple.com
Fri Apr 4 09:26:00 PDT 2008

Hi Scott,

--On April 4, 2008 8:19:03 AM -0700 Scott Buchanan <dscottbuch at mac.com> 

> is the following consistent with your analysis?
> HTTP/1.1 403 Forbidden
> Date: Fri, 04 Apr 2008 15:17:32 GMT
> DAV: 1, access-control, calendar-access, calendar-schedule,
> calendar-availability, inbox-availability, calendar-proxy,
> calendarserver-private-events
> Content-Type: text/xml
> Content-Length: 104
> Server: Twisted/2.5.0 TwistedWeb/[twisted.web2, version 0.2.0]
> TwistedCalDAV/1.3-dev (r2269)
> <?xml version='1.0' encoding='UTF-8'?>
> <error xmlns='DAV:'>
>    <no-protected-ace-conflict/>
> </error>
> If so, I understand you suggestions but it seems overly complex.  Is this
> how it is handled on Leopard Server, thru OD and the GUi that comes with
> that?

Yes '<no-protected-ace-conflict/>' is what I was describing.

NB There is another approach to this by using proxy. Here is how this would 

1) Instead of creating a group calendar, create a regular user to represent 
the group.
2) Use that user's credentials to login and manage the calendars 
3) Assign other users as read-only or read-write proxies for that user (the 
runshell proxies command easily manages that).

A slight variation of this is to assign a group principal as a proxy to a 
user. Then you can manage the proxies by adding individual users to the 
group rather than directly using the proxy command.

I think this is probably a better bet than managing the ACLs directly.

There has been a fair amount of discussion in the Calendaring and 
Scheduling Consortium by caldav-related folks about defining a more generic 
proxy scheme than we have in our server. The primary goal of this is to 
avoid admins, clients etc ever having to manipulate ACLs directly, because, 
frankly, WebDAV ACLs are overly complex for most of the operations people 
want to do. The goal would be to have the server provision all the required 
types of ACLs and then use group membership as a way of giving particular 
users the appropriate rights. That is basically what the current proxy 
mechanism does.

Cyrus Daboo

More information about the calendarserver-users mailing list