Cyrus,
That makes sense (I've done enough ACL's to at least get the
principle). It would be nice to find a tutorial with, or without, the
GUI.
On Apr 2, 2008, at 6:31 PM, Cyrus Daboo wrote:
Hi Scott,
--On April 2, 2008 5:50:14 PM -0700 Scott Buchanan
<[EMAIL PROTECTED]> wrote:
I've installed the CS on a Tiger server and everything is working. I
want to use the calendars for the groups (our SW group for example)
and
this works fine BUT I don't want individuals of the group to be
able to
delete the entire calendar which is very easy to do by mistake from
iCal
for example. They need to be able to add and edit events, but not
the
whole calendar.
The only way I can see to do this is to somehow edit the acl for the
.../swgroup/calendar/ directory so that it can not be deleted but
I'm
not enough of an expert on ACL's in general, and DAV acls in
particular.
Ok, this is one of the more complex parts of WebDAV ACLs.
Bottom line is you need to deny the DAV:unbind privilege on the
parent of the calendar. That will prevent the specified users from
deleting anything within that parent collection.
Something like this would work:
1. Start the shell:
./runshell.py --server=... --user=... --password=...
2. Navigate to the parent directory of the calendars you want to
"protect":
/ > cd /calendars/groups/testgroup
3. Run the ACL interactive mode:
/calendars/groups/testgroup > acl -i
4. Use the add command:
ACL > add
5. You will then get a list of existing privileges. You will
probably want to insert the the one to block deletes above all the
existing ones as the order of privileges counts when determining
access. So enter 1:
Add ACL before [1 - 7] or cancel [q]: 1
6. You will then get prompted for a "principal type". This
determines who the new privilege will apply to. In this case we want
it to apply to everyone in a specific group, so enter 1:
Select type: 1
7. You will then get prompted to enter the principal path, so enter
the path to the group you want to "block":
Enter principal path: /principals/groups/swgroup
8. In WebDAV you can have the privilege apply to the specified
principal or apply to all principals that do not match that
(invert). In this case we want the former so enter n:
Invert principal [y/n]: n
9. Next the prompt is for whether a privilege is being granted or
denied. In this case we want deny, so enter d:
Grant or Deny privileges [g/d]: d
10. Then the prompt will be list of all the privileges that can be
denied. In this case you want DAV:unbind so enter i:
Select multiple items: i
11. At that point the shell tool should write out the new
privileges. Use the list command to verify it is there. Then, as a
member of the group try to delete a calendar. Hopefully you won't be
able to!
As you can see there are a lot of steps involved in managing ACLs
and you do need to understand how the order and sets of privileges
and invert, grant/deny etc all work.
Of course one could write a GUI for this that would just give a set
of checkboxes to check off and it would look at lot easier than the
command line approach.
--
Cyrus Daboo
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo/calendarserver-users
