Hi again,
Any idea why the ACL doesn't change and why the error (Ignoring
error)? Also, is there any way with runshell.py to increase the
reporting?
thanks,
On Apr 2, 2008, at 7:44 PM, Scott Buchanan wrote:
OK,
I tried is a get the following, with no change to the acls
Add ACL before [1 - 6] or cancel [q]: 1
Principal Type:
1. Principal path
2. All
3. Authenticated
4. Unauthenticated
5. Property
Select type: 1
Enter principal path: /principals/groups/4dsvn
Invert principal [y/n]: n
Grant or Deny privileges [g/d]: d
Privileges:
a. {DAV}read
b. {DAV}write
c. {DAV}write-properties
d. {DAV}write-content
e. {DAV}read-acl
f. {DAV}read-current-user-privilege-set
g. {DAV}write-acl
h. {DAV}bind
i. {DAV}unbind
j. {DAV}all
k. {CALDAV}read-free-busy
l. {CALDAV}schedule
q. quit without changes
Select multiple items: i
Ignoring error
ACL >
note that 4dsvn is the software group.
On Apr 2, 2008, at 6:44 PM, Scott Buchanan wrote:
Cyrus,
That makes sense (I've done enough ACL's to at least get the
principle). It would be nice to find a tutorial with, or without,
the GUI.
On Apr 2, 2008, at 6:31 PM, Cyrus Daboo wrote:
Hi Scott,
--On April 2, 2008 5:50:14 PM -0700 Scott Buchanan <[EMAIL PROTECTED]
> wrote:
I've installed the CS on a Tiger server and everything is
working. I
want to use the calendars for the groups (our SW group for
example) and
this works fine BUT I don't want individuals of the group to be
able to
delete the entire calendar which is very easy to do by mistake
from iCal
for example. They need to be able to add and edit events, but
not the
whole calendar.
The only way I can see to do this is to somehow edit the acl for
the
.../swgroup/calendar/ directory so that it can not be deleted
but I'm
not enough of an expert on ACL's in general, and DAV acls in
particular.
Ok, this is one of the more complex parts of WebDAV ACLs.
Bottom line is you need to deny the DAV:unbind privilege on the
parent of the calendar. That will prevent the specified users from
deleting anything within that parent collection.
Something like this would work:
1. Start the shell:
./runshell.py --server=... --user=... --password=...
2. Navigate to the parent directory of the calendars you want to
"protect":
/ > cd /calendars/groups/testgroup
3. Run the ACL interactive mode:
/calendars/groups/testgroup > acl -i
4. Use the add command:
ACL > add
5. You will then get a list of existing privileges. You will
probably want to insert the the one to block deletes above all the
existing ones as the order of privileges counts when determining
access. So enter 1:
Add ACL before [1 - 7] or cancel [q]: 1
6. You will then get prompted for a "principal type". This
determines who the new privilege will apply to. In this case we
want it to apply to everyone in a specific group, so enter 1:
Select type: 1
7. You will then get prompted to enter the principal path, so
enter the path to the group you want to "block":
Enter principal path: /principals/groups/swgroup
8. In WebDAV you can have the privilege apply to the specified
principal or apply to all principals that do not match that
(invert). In this case we want the former so enter n:
Invert principal [y/n]: n
9. Next the prompt is for whether a privilege is being granted or
denied. In this case we want deny, so enter d:
Grant or Deny privileges [g/d]: d
10. Then the prompt will be list of all the privileges that can be
denied. In this case you want DAV:unbind so enter i:
Select multiple items: i
11. At that point the shell tool should write out the new
privileges. Use the list command to verify it is there. Then, as a
member of the group try to delete a calendar. Hopefully you won't
be able to!
As you can see there are a lot of steps involved in managing ACLs
and you do need to understand how the order and sets of privileges
and invert, grant/deny etc all work.
Of course one could write a GUI for this that would just give a
set of checkboxes to check off and it would look at lot easier
than the command line approach.
--
Cyrus Daboo
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo/calendarserver-users
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
http://lists.macosforge.org/mailman/listinfo/calendarserver-users
