calendar server for Debian ========================== Basic Setup =========== Since calendarserver uses extended attributes you must mount the filesystem that contains the calendars (/var/spool/caldavd by default) with extended attributes enabled. On ext2/ext3 filesystems use the user_xattr mount option, XFS has extended attributes enabled by default. You have to add a /etc/caldavd/accounts.xml to tell caldavd about your accounts and users. See /usr/share/doc/calendarserver/examples/accounts.xml for an example. Likewise you have to add a /etc/caldavd/sudoers.plist. Both files have to be present, otherwise the calendarserver will not work. By default calendarserver listens on localhost only so the URI to your caldav calendar will typically look like: http://localhost:8008/calendars/users//calendar/ where is the username of a calendarserver user as specified in accounts.xml. And for groups defined in accounts.xml it's: http://localhost:8008/calendars/groups//calendar/ Loadbalancing ============= In order to enable laod balancing onto different processors/cores you need to install python-pydirecotor and set the ProcessCount in /etc/caldavd/caldavd.plist accordingly. Enabling SPNEGO/Kerberos ======================== To make SPNEGO/Kerberos authentication work you have to add service principals for HTTP/caldavd.example.com@EXAMPLE.COM and http/caldavd.example.com@EXAMPLE.COM to your servers keytab /etc/krb5.keytab (replace caldavd.example.com by the fqdn of your caldav server and EXAMPLE.COM by your Kerberos realm). The uppercase http variant is used by most clients like iceowl and icedove with iceowl-extension while the lowercase version is used by iCal. The keytab must be readable for user caldavd which can be achieved by: chgrp caldavd /etc/krb5.keytab chmod 0640 /etc/krb5.keytab Now you have to specify the name of a ServicePrincipal in /etc/caldavd/caldavd.plist: Kerberos Enabled ServicePrincipal http/caldavd.example.com@EXAMPLE.COM Note: if you use iceowl/iceowl-extension the network.negotiate-auth.trusted-uris in iceowl/icedove must match on your calendarservers uri otherwise SPNEGO will not work. A good choice is "https://". Nameservice Switch Backend ========================== If you don't want to manage accounts in a separate XML file you can use the names service switch backend. Details on how to set this up can be found at: http://honk.sigxcpu.org/con/Apple_Calendarser_with_Name_Service_Switch_directory_backend.html Note that in order to function properly "getent passwd" must list all users that should be able to access the calendarserver. This might not be the case if you hit the search limit of your LDAP server. Also note that the username and groupname (without the prefix) shouldn't be the same else calendarserver might get confused. PAM authentication is supported. The pam service name is "caldav". Basic Authentication should be enabled and Digest Authentication should be disabled for PAM authentication to work. It is suggested to use PAM authentication in conjunction with SSL (https) so that the password is not sent in plain text. For PAM authentication against local unix passwords, the user "caldavd" should be added to the "shadow" group. -- Guido Guenther Thu, 30 Apr 2008 16:17:56 +0100 LDAP Directory Backend ====================== Details of LDAP Directory backend can be found at: http://trac.calendarserver.org/ticket/260 Possible authentication methods are "LDAP" (default) and "PAM". The pam service name is "caldav". For PAM/LDAP authentication, Basic Authentication should be enabled and Digest Authentication should be disabled (as shown below). It is suggested to use PAM/LDAP authentication in conjunction with SSL (https) so that the password is not sent in plain text. For PAM authentication against local unix passwords, the user "caldavd" should be added to the "shadow" group. Basic Enabled Digest Enabled Algorithm md5 Qop For ldap anonymous binding, the dn and password entries should be present in the configuration file but their values should be empty. -- Rahul Amaram Tue, 24 Aug 2010 22:05:00 +0530