Calendar 6.3 Subscribe Internals

In this Blog I'll explain how the calendar subscribe will be working and where you need to look at when something went wrong.

Calendar subscribe is done by the following actions:

Bob              -> Calendar properties request for Alice Calendar   -> Calendar Server
Calendar Server  -> Result (read access)                             -> Bob
Bob              -> Calendar subscribe request for Alica Calendar    -> Calendar Server

Calendar Server  -> MODify request Bob LDAP entry                    -> Directory Server
Directory Server -> MODify result                                    -> Calendar Server

Calendar Server  -> Calendar subscribe result                         -> Bob 
  

First we need to check the Calendar User ACL. The User ACL setting of Alice can prevent User Bob read/invite/freebusy lookup. If no permission is setup to User Bob, subscribe will not working.

ACL User setting can be checked on Calendar Server side via command line cscal -v list <user@domain.tld>

bash-3.00# ./cscal -v list alice@domain.tld
alice@domain.tld: owner=alice@domain.tld status=enabled
 name=Bob User
 description=
 other owners=
 double book=yes
 aces=@@o\^a\^r\^g;@@o\^c\^wdeic\^g;@\^a\^rsf\^g;@\^c\^\^g;@\^p\^r\^g;@@o\^p\^rw\^g
 email=
 time zone=
 categories=
 character set=
 language code=en
 created=Oct 08, 2010 12:14:01 GMT
 last modified=Oct 08, 2010 12:14:36 GMT
 events last modified=Oct 08, 2010 12:14:01 GMT
 todos last modified=Oct 08, 2010 12:14:01 GMT
 deletelog last modified=Oct 08, 2010 12:14:01 GMT
 number of events=0
 number of tasks=0
 number of deleted events=0
 number of deleted tasks=0
 number of deleted recurring events=0
 number of deleted recurring tasks=0
  

Check if read/invite or freebusy is allowed, if nothing is allowed then you will not able to subscribe to the Alice calendar. Information about the ACL in Calendar can be found at - http://docs.sun.com/source/816-6708-10/csag4.html#wp29425

If the ACL is correct, so sharing of Alice Calendar is allowed the http.log of Calendar Server will look like this (debug mode - ics.conf - logfile.loglevel = "Debug")

http.log

[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug: WCAP: search_calprops command called.
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[0] = id=vb+hlYD/wrw
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[1] = search-string=alice
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[2] = primaryOwner=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[3] = calid=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[4] = name=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[5] = moreinfo=1
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[6] = fmt-out=text/json
[18/Oct/2010:12:38:10 +0200] funky cshttpd[1312]: General Debug:        argv[7] = dojo.preventCache=1287398290481

[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug: WCAP: subscribe_calendars command called.
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[0] = id=vb+hlYD/wrw
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[1] = calid=alice@domain.tld
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[2] = fmt-out=text/json
[18/Oct/2010:12:39:56 +0200] funky cshttpd[1312]: General Debug:        argv[3] = dojo.preventCache=1287398396328
  

Looking at the Directory Server part and understand how the MODify request is done.

Working example:

[18/Oct/2010:12:39:56 +0200] conn=6 op=170 msgId=171 - MOD dn="uid=bob,ou=People,o=domain.tld,o=isp"
[18/Oct/2010:12:39:56 +0200] conn=6 op=170 msgId=171 - RESULT err=0 tag=103 nentries=0 etime=0

Not working example:

[13/Oct/2010:11:24:07 +0200] conn=9 op=75 msgId=76 - MOD dn="uid=bob,ou=People,o=domain.tld,o=isp"
[13/Oct/2010:11:24:07 +0200] conn=9 op=75 msgId=76 - RESULT err=50 tag=103 nentries=0 etime=0, Insufficient 'write' privilege to the 'preferredLanguage' attribute of entry 'uid=bob,ou=people,o=domain.tld,o=isp'.
  

From the access log above we did not see WHO would like to MODify the user entry, if you scroll back in the access log you might will find the BIND request for 'conn=9' (connection number) and you need to check if this user has write access right on the mention LDAP entry.

For Calendar Server 6.3 the BIND is done by the user specified in ics.conf on Calendar Server side as local.authldapbinddn. If you take a look into the Directory Server ACI you will not find this specific user, what you will find is a Calendar End User Administrators Group.

NOTE: To search/list the LDAP ACI do:

ldapsearch -D "cn=Directory Manager" -w <password> -b o=isp "aci=\*" aci

aci: (target="ldap:///o=isp")(targetattr="objectclass || cn || givenname || sn
  || mail || mailalternateaddress || preferredlanguage || sunUCDateFormat ||
 sunUCDateDeLimiter || sunUCTimeFormat || icsAllowedServiceAccess || icsCalen
 dar || icsCalendarOwned || icsDefaultSet || icsDWPHost || icsExtended || ics
 ExtendedUserPrefs || icsFirstDay || icsFreeBusy || icsGeo || icsPartition ||
  icsPreferredHost || icsQuota || icsSet || icsStatus || icsSubscribed || ics
 Timezone ")(version 3.0; acl "Calendar Server End User Administrator Write A
 ccess Rights - product=ics,class=installer,num=101,version=1"; allow (all) g
 roupdn="ldap:///cn=Calendar End User Administrators Group, ou=Groups, o=isp"
 ;)

And now the 'local.authldapbinddn' User needs to be a 'uniqueMember' of exactly this Group.

dn: cn=Calendar End User Administrators Group,ou=Groups,o=isp
objectClass: top
objectClass: groupOfUniqueNames
objectClass: iplanet-am-managed-static-group
objectClass: iplanet-am-managed-group
cn: Calendar End User Administrators Group
uniqueMember: uid=calmaster, ou=People, o=domain.tld,o=isp
uniqueMember: uid=cal-admin-host.domain.tld-200909301402,ou=People,o=domain.tld,o=isp

In the non working example above the 'local.authldapbinddn' user was not part of the Admin Group and therefor the MODify request was failing.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Andreas Breuer - TSC Engineer - writes about his life in support.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today