Monday Oct 18, 2010

Calendar 6.3 Subscribe Internals

In this Blog I'll explain how the calendar subscribe will be working and where you need to look at when something went wrong.

Calendar subscribe is done by the following actions:

Bob              -> Calendar properties request for Alice Calendar   -> Calendar Server
Calendar Server  -> Result (read access)                             -> Bob
Bob              -> Calendar subscribe request for Alica Calendar    -> Calendar Server

Calendar Server  -> MODify request Bob LDAP entry                    -> Directory Server
Directory Server -> MODify result                                    -> Calendar Server

Calendar Server  -> Calendar subscribe result                         -> Bob 
  

First we need to check the Calendar User ACL. The User ACL setting of Alice can prevent User Bob read/invite/freebusy lookup. If no permission is setup to User Bob, subscribe will not working.

ACL User setting can be checked on Calendar Server side via command line cscal -v list <user@domain.tld>

bash-3.00# ./cscal -v list alice@domain.tld
alice@domain.tld: owner=alice@domain.tld status=enabled
 name=Bob User
 description=
 other owners=
 double book=yes
 aces=@@o\^a\^r\^g;@@o\^c\^wdeic\^g;@\^a\^rsf\^g;@\^c\^\^g;@\^p\^r\^g;@@o\^p\^rw\^g
 email=
 time zone=
 categories=
 character set=
 language code=en
 created=Oct 08, 2010 12:14:01 GMT
 last modified=Oct 08, 2010 12:14:36 GMT
 events last modified=Oct 08, 2010 12:14:01 GMT
 todos last modified=Oct 08, 2010 12:14:01 GMT
 deletelog last modified=Oct 08, 2010 12:14:01 GMT
 number of events=0
 number of tasks=0
 number of deleted events=0
 number of deleted tasks=0
 number of deleted recurring events=0
 number of deleted recurring tasks=0
  

Check if read/invite or freebusy is allowed, if nothing is allowed then you will not able to subscribe to the Alice calendar. Information about the ACL in Calendar can be found at - http://docs.sun.com/source/816-6708-10/csag4.html#wp29425

If the ACL is correct, so sharing of Alice Calendar is allowed the http.log of Calendar Server will look like this (debug mode - ics.conf - logfile.loglevel = "Debug")

http.log

[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug: WCAP: search_calprops command called.
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[0] = id=vb+hlYD/wrw
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[1] = search-string=alice
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[2] = primaryOwner=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[3] = calid=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[4] = name=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[5] = moreinfo=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[6] = fmt-out=text/json
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[7] = dojo.preventCache=1287398290481

[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug: WCAP: subscribe_calendars command called.
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[0] = id=vb+hlYD/wrw
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[1] = calid=alice@domain.tld
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[2] = fmt-out=text/json
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[3] = dojo.preventCache=1287398396328
  

Looking at the Directory Server part and understand how the MODify request is done.

Working example:

[18/Oct/2010:12:39:56 +0200] conn=6 op=170 msgId=171 - MOD dn="uid=bob,ou=People,o=domain.tld,o=isp"
[18/Oct/2010:12:39:56 +0200] conn=6 op=170 msgId=171 - RESULT err=0 tag=103 nentries=0 etime=0

Not working example:

[13/Oct/2010:11:24:07 +0200] conn=9 op=75 msgId=76 - MOD dn="uid=bob,ou=People,o=domain.tld,o=isp"
[13/Oct/2010:11:24:07 +0200] conn=9 op=75 msgId=76 - RESULT err=50 tag=103 nentries=0 etime=0, Insufficient 'write' privilege to the 'preferredLanguage' attribute of entry 'uid=bob,ou=people,o=domain.tld,o=isp'.
  

From the access log above we did not see WHO would like to MODify the user entry, if you scroll back in the access log you might will find the BIND request for 'conn=9' (connection number) and you need to check if this user has write access right on the mention LDAP entry.

For Calendar Server 6.3 the BIND is done by the user specified in ics.conf on Calendar Server side as local.authldapbinddn. If you take a look into the Directory Server ACI you will not find this specific user, what you will find is a Calendar End User Administrators Group.

NOTE: To search/list the LDAP ACI do:

ldapsearch -D "cn=Directory Manager" -w <password> -b o=isp "aci=\*" aci

aci: (target="ldap:///o=isp")(targetattr="objectclass || cn || givenname || sn
  || mail || mailalternateaddress || preferredlanguage || sunUCDateFormat ||
 sunUCDateDeLimiter || sunUCTimeFormat || icsAllowedServiceAccess || icsCalen
 dar || icsCalendarOwned || icsDefaultSet || icsDWPHost || icsExtended || ics
 ExtendedUserPrefs || icsFirstDay || icsFreeBusy || icsGeo || icsPartition ||
  icsPreferredHost || icsQuota || icsSet || icsStatus || icsSubscribed || ics
 Timezone ")(version 3.0; acl "Calendar Server End User Administrator Write A
 ccess Rights - product=ics,class=installer,num=101,version=1"; allow (all) g
 roupdn="ldap:///cn=Calendar End User Administrators Group, ou=Groups, o=isp"
 ;)

And now the 'local.authldapbinddn' User needs to be a 'uniqueMember' of exactly this Group.

dn: cn=Calendar End User Administrators Group,ou=Groups,o=isp
objectClass: top
objectClass: groupOfUniqueNames
objectClass: iplanet-am-managed-static-group
objectClass: iplanet-am-managed-group
cn: Calendar End User Administrators Group
uniqueMember: uid=calmaster, ou=People, o=domain.tld,o=isp
uniqueMember: uid=cal-admin-host.domain.tld-200909301402,ou=People,o=domain.tld,o=isp

In the non working example above the 'local.authldapbinddn' user was not part of the Admin Group and therefor the MODify request was failing.

Tuesday Oct 27, 2009

Update Mac iCal with Sun Java System Calendar Server events

Export and Import is an easy way to get your Mac iCal up to date. But doing it manually is boring, therefor I thought it would be nice to have this scripted but unfortunately I was not able to create a working applescript for iCal, even the applescript recorder result in empty applescript, don't ask me why. 

My result so far now is a small shell script which export your calendar from the Calendar Server, save it as export.ics and open iCal with the exported.ics file, you only have to click OK for the import.

Note: The script don't take care about hosted domain, but you might get an idea how that need's to look like. In the script itself you need to place the settings for server, username and password. It works for http and https.

#!/bin/sh

# Your calendar server
server="yourserver.domain.tld"

# username and password
user="dummyuser"
pass="mypassword"

curlopts='--silent --insecure'

# Open up a session with the calender server
request="https://${server}/login.wcap?user=${user}&password=${pass}"
id=`curl $curlopts "${request}" | \\
  grep SESSION-ID | head -1 | \\
  sed -e "s/.\*SESSION-ID:\\([a-z,A-Z,0-9]\*\\).\*/\\1/"`
if [ -z "${id}" ]; then
  echo
  echo "Error: Could not get session id!"
  exit 1
fi
printf "\\nSession ID: ${id} - OK\\n" 
printf " - - - - - - - - - \\n"

# export
request="https://${server}/export.wcap"
curl --data "id=${id}&calid=${user}&content-out=text/calendar" "${request}" > ./export.ics

printf "\\n"
printf " - - - - - - - - - \\n"

# logout
request="https://${server}/logout.wcap?id=${id}"
curl $curlopts "${request}"

open export.ics
  
The console output will look like this:
 
$ ./wcap-export.sh 

Session ID: fMLeoJtcMMw - OK
 - - - - - - - - - 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  222k  100  222k    0    53   304k     72 --:--:-- --:--:-- --:--:--  381k

 - - - - - - - - - 
BEGIN:VCALENDAR
PRODID:-//Sun/Calendar Server//EN
METHOD:PUBLISH
VERSION:2.0
X-NSCP-WCAP-ERRNO:-1
END:VCALENDAR
  


Note: If you would update the Sun Java Calendar Server vise versa from iCal then jCalendarCopy might be a solution for you

About

Andreas Breuer - TSC Engineer - writes about his life in support.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today