Package: calendarserver Version: 3.2+dfsg-5 Severity: normal Dear Maintainer,
I've been experiencing with caldavd on a local PostgreSQL database, and found several issues that can be easily fixed or circumvented. I'm not really able to decide how much of that really should be fixed upstream. It can be for sure fixed by packaging or documentation. (postgresql-9.1, version 9.1.7-1 from wheezy, but that should really not matter) 1) Peer connection caldavd.plist extract: <!-- Database connection --> <key>UseDatabase</key> <true/> <key>DBType</key> <string>postgres</string> <key>DSN</key> <string>:caldavd:caldavd:::</string> It seems that the initial DB connection gets done while system user is still 'root'. Subsequent ones are done with 'caldavd'. Found a reference to it in upstream mailing list: http://lists.macosforge.org/pipermail/calendarserver-dev/2012-November/001564.html This can be circumvented by letting root perform peer connections as role 'caldavd' through pg_ident.conf 2) Database bootstrap The parameters of /usr/bin/calendarserver_bootstrap_database are entirely hardcoded to values that are wrong in the Debian setting Actual source is in /usr/lib/python2.7/dist-packages/calendarserver/tools/bootstrapdatabase.py Extract: CONNECTNAME = "_postgres" USERNAME = "caldav" DATABASENAME = "caldav" SCHEMAFILE = "/usr/share/caldavd/lib/python/txdav/common/datastore/sql_schema/current.sql" What this script does is simply create role & database, then load of the SCHEMAFILE SQL source file. On a Debian system, the default PostgreSQL superuser is 'postgres', and that file lies at /usr/lib/python2.7/dist-packages/txdav/common/datastore/sql_schema/current.sql With the Debian way of installing python packages means that it should not be hardcoded to that location either. I've been able to bootstrap my database by loading that file manually, calendarserver seems to work fine, but the bootstrap script seems to also be able to perform updates, so that it really should be fixed in some way. Thank you for your attention -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages calendarserver depends on: ii adduser 3.113+nmu3 ii libc6 2.13-37 ii lsb-base 4.1+Debian9 ii memcached 1.4.13-0.1 ii python 2.7.3-3 ii python-dateutil 1.5+dfsg-0.1 ii python-kerberos 1.1+svn4895-1+b2 ii python-openssl 0.13-2 ii python-plist 1.8-1 ii python-pycalendar 2.0~svn188-1 ii python-pygresql 1:4.0-3 ii python-pysqlite2 2.6.3-3 ii python-sqlparse 0.1.4-1 ii python-twisted-conch 1:12.0.0-1 ii python-twisted-core 12.0.0-1 ii python-twisted-mail 12.0.0-1 ii python-twisted-web 12.0.0-1 ii python-twisted-words 12.0.0-1 ii python-xattr 0.6.4-2 ii python-zope.interface 3.6.1-3 ii ssl-cert 1.0.32 Versions of packages calendarserver recommends: ii python-ldap 2.4.10-1 ii python-pam 0.4.2-13 calendarserver suggests no packages. -- Configuration Files: /etc/caldavd/accounts.xml changed: <?xml version="1.0" encoding="utf-8"?> <!-- Copyright (c) 2006-2010 Apple Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!DOCTYPE accounts SYSTEM "accounts.dtd"> <accounts realm="Test Realm"> <user> <uid>admin</uid> <guid>ADMIN</guid> <password>admin</password> <name>Super User</name> </user> <user> <uid>test</uid> <password>test</password> <name>Test User</name> </user> <group> <uid>users</uid> <password>users</password> <name>Users Group</name> <members> <member type="users">test</member> </members> </group> <location> <uid>mercury</uid> <password>mercury</password> <name>Mecury Conference Room, Building 1, 2nd Floor</name> </location> </accounts> /etc/caldavd/caldavd.plist changed: <?xml version="1.0" encoding="UTF-8"?> <!-- Copyright (c) 2006-2011 Apple Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <!-- Public network address information This is the server's public network address, which is provided to clients in URLs and the like. It may or may not be the network address that the server is listening to directly, though it is by default. For example, it may be the address of a load balancer or proxy which forwards connections to the server. --> <!-- Network host name [empty = system host name] --> <key>ServerHostName</key> <string></string> <!-- The hostname clients use when connecting --> <!-- HTTP port [0 = disable HTTP] --> <key>HTTPPort</key> <integer>8008</integer> <!-- SSL port [0 = disable HTTPS] --> <!-- (Must also configure SSLCertificate and SSLPrivateKey below) --> <!-- <key>SSLPort</key> <integer>8443</integer> <key>EnableSSL</key> <true/> --> <!-- Redirect non-SSL ports to an SSL port (if configured for SSL) --> <key>RedirectHTTPToHTTPS</key> <false/> <!-- Network address configuration information This configures the actual network address that the server binds to. --> <!-- List of IP addresses to bind to [empty = all] --> <key>BindAddresses</key> <array> </array> <!-- List of port numbers to bind to for HTTP [empty = same as "Port"] --> <key>BindHTTPPorts</key> <array> </array> <!-- List of port numbers to bind to for SSL [empty = same as "SSLPort"] --> <key>BindSSLPorts</key> <array> </array> <!-- Data Store --> <!-- Server root --> <key>ServerRoot</key> <string>/var/lib/caldavd</string> <!-- Database connection --> <key>UseDatabase</key> <true/> <key>DBType</key> <string>postgres</string> <key>DSN</key> <string>:caldavd:caldavd:::</string> <!-- Data root --> <!-- key>DataRoot</key> <string>/var/lib/caldavd</string --> <!-- Document root --> <key>DocumentRoot</key> <string>/var/spool/caldavd</string> <!-- Configuration root --> <key>ConfigRoot</key> <string>/etc/caldavd</string> <!-- Run root --> <key>RunRoot</key> <string>/var/run/caldavd</string> <!-- Child aliases --> <key>Aliases</key> <dict> <!-- <key>foo</key> <dict> <key>path</key> <string>/path/to/foo</string> </dict> --> </dict> <!-- Quotas and limits --> <!-- User quota (in bytes) [0 = no quota] applies to attachments only --> <key>UserQuota</key> <integer>104857600</integer> <!-- 100Mb --> <!-- Maximum number of calendars/address books allowed in a home --> <!-- 0 for no limit --> <key>MaxCollectionsPerHome</key> <integer>50</integer> <!-- Maximum number of resources in a calendar/address book --> <!-- 0 for no limit --> <key>MaxResourcesPerCollection</key> <integer>10000</integer> <!-- Maximum resource size (in bytes) --> <key>MaxResourceSize</key> <integer>1048576</integer> <!-- 1Mb --> <!-- Maximum number of unique attendees per entire event --> <!-- 0 for no limit --> <key>MaxAttendeesPerInstance</key> <integer>100</integer> <!-- Maximum number of instances allowed during expansion --> <!-- 0 for no limit --> <key>MaxAllowedInstances</key> <integer>3000</integer> <!-- Maximum number of instances allowed for a single RRULE --> <!-- 0 for no limit --> <key>MaxInstancesForRRULE</key> <integer>400</integer> <!-- NSS Directory Service --> <!-- Groups starting with groupPrefix are considered calendarserver groups --> <!-- Don't treat user id's smaller than firstValidUid as calendarserver users --> <!-- Don't treat group id's smaller than firstValidGid as calendarserver groups --> <!-- use shortName@mailDomain as calender user mail addresses --> <!-- <key>DirectoryService</key> <dict> <key>type</key> <string>twistedcaldav.directory.nss.NssDirectoryService</string> <key>params</key> <dict> <key>realmName</key> <string>Test Realm</string> <key>groupPrefix</key> <string>caldavd-</string> <key>firstValidUid</key> <integer>1000</integer> <key>lastValidUid</key> <integer>65533</integer> <key>firstValidGid</key> <integer>1000</integer> <key>lastValidGid</key> <integer>65533</integer> <key>mailDomain</key> <string>example.com</string> <key>cacheTimeout</key> <integer>30</integer> </dict> </dict> --> <!-- Directory service A directory service provides information about principals (eg. users, groups, locations and resources) to the server. A variety of directory services are available for use. --> <!-- XML File Directory Service --> <key>DirectoryService</key> <dict> <key>type</key> <string>twistedcaldav.directory.xmlfile.XMLDirectoryService</string> <key>params</key> <dict> <key>xmlFile</key> <string>/etc/caldavd/accounts.xml</string> </dict> </dict> <!-- Open Directory Service (Mac OS X) --> <!-- <key>DirectoryService</key> <dict> <key>type</key> <string>twistedcaldav.directory.appleopendirectory.OpenDirectoryService</string> <key>params</key> <dict> <key>node</key> <string>/Search</string> <key>cacheTimeout</key> <integer>30</integer> </dict> </dict> --> <!-- OpenLDAP Directory Service --> <!-- <key>DirectoryService</key> <dict> <key>type</key> <string>twistedcaldav.directory.ldapdirectory.LdapDirectoryService</string> <key>params</key> <dict> <key>restrictEnabledRecords</key> <false/> <key>restrictToGroup</key> <string></string> <key>cacheTimeout</key> <integer>30</integer> <key>uri</key> <string>ldap://example.com/</string> <key>tls</key> <false/> <key>tlsCACertFile</key> <string></string> <key>tlsCACertDir</key> <string></string> <key>tlsRequireCert</key> <string>never</string> <key>credentials</key> <dict> <key>dn</key> <string></string> <key>password</key> <string></string> </dict> <key>authMethod</key> <string>LDAP</string> <key>rdnSchema</key> <dict> <key>base</key> <string>dc=example,dc=com</string> <key>guidAttr</key> <string>entryUUID</string> <key>users</key> <dict> <key>rdn</key> <string>ou=People</string> <key>attr</key> <string>uid</string> <key>emailSuffix</key> <string></string> <key>filter</key> <string></string> <key>loginEnabledAttr</key> <string></string> <key>loginEnabledValue</key> <string>yes</string> <key>mapping</key> <dict> <key>recordName</key> <string>uid</string> <key>fullName</key> <string>cn</string> <key>emailAddresses</key> <string>mail</string> <key>firstName</key> <string>givenName</string> <key>lastName</key> <string>sn</string> </dict> </dict> <key>groups</key> <dict> <key>rdn</key> <string>ou=Group</string> <key>attr</key> <string>cn</string> <key>emailSuffix</key> <string></string> <key>filter</key> <string></string> <key>mapping</key> <dict> <key>recordName</key> <string>cn</string> <key>fullName</key> <string>cn</string> <key>emailAddresses</key> <string>mail</string> <key>firstName</key> <string>givenName</string> <key>lastName</key> <string>sn</string> </dict> </dict> </dict> <key>groupSchema</key> <dict> <key>membersAttr</key> <string>member</string> <key>nestedGroupsAttr</key> <string></string> <key>memberIdAttr</key> <string></string> </dict> <key>resourceSchema</key> <dict> <key>resourceInfoAttr</key> <string></string> <key>autoScheduleAttr</key> <string></string> <key>autoScheduleEnabledValue</key> <string>yes</string> <key>proxyAttr</key> <string></string> <key>readOnlyProxyAttr</key> <string></string> </dict> </dict> </dict> --> <!-- Resource and Location Service --> <key>ResourceService</key> <dict> <key>Enabled</key> <true/> <key>type</key> <string>twistedcaldav.directory.xmlfile.XMLDirectoryService</string> <key>params</key> <dict> <key>xmlFile</key> <string>/etc/caldavd/resources.xml</string> </dict> </dict> <!-- Special principals These principals are granted special access and/or perform special roles on the server. --> <!-- Principals with "DAV:all" access (relative URLs) --> <key>AdminPrincipals</key> <array> <string>/principals/__uids__/ADMIN/</string> </array> <!-- Principals with "DAV:read" access (relative URLs) --> <key>ReadPrincipals</key> <array> <!-- <string>/principals/__uids__/983C8238-FB6B-4D92-9242-89C0A39E5F81/</string> --> </array> <!-- Create "proxy access" principals --> <key>EnableProxyPrincipals</key> <true/> <!-- Permissions --> <!-- Anonymous read access for root resource --> <key>EnableAnonymousReadRoot</key> <true/> <!-- Anonymous read access for resource hierarchy --> <key>EnableAnonymousReadNav</key> <false/> <!-- Enables directory listings for principals --> <key>EnablePrincipalListings</key> <false/> <!-- Render calendar collections as a monolithic iCalendar object --> <key>EnableMonolithicCalendars</key> <true/> <!-- Authentication --> <key>Authentication</key> <dict> <!-- Clear text; best avoided --> <key>Basic</key> <dict> <key>Enabled</key> <false/> </dict> <!-- Digest challenge/response --> <key>Digest</key> <dict> <key>Enabled</key> <true/> <key>Algorithm</key> <string>md5</string> <key>Qop</key> <string></string> </dict> <!-- Kerberos/SPNEGO --> <key>Kerberos</key> <dict> <key>Enabled</key> <true/> <key>ServicePrincipal</key> <string></string> </dict> </dict> <!-- Logging --> <!-- Log root --> <key>LogRoot</key> <string>/var/log/caldavd</string> <!-- Apache-style access log --> <key>AccessLogFile</key> <string>access.log</string> <key>RotateAccessLog</key> <true/> <!-- Server activity log --> <key>ErrorLogFile</key> <string>error.log</string> <!-- Log levels --> <key>DefaultLogLevel</key> <string>warn</string> <!-- debug, info, warn, error --> <!-- Global server stats --> <key>GlobalStatsSocket</key> <string>caldavd-stats.sock</string> <!-- Server process ID file --> <key>PIDFile</key> <string>caldavd.pid</string> <!-- SSL/TLS --> <!-- Public key --> <key>SSLCertificate</key> <string>/etc/ssl/certs/ssl-cert-snakeoil.pem</string> <!-- SSL authority chain (for intermediate certs) --> <key>SSLAuthorityChain</key> <string></string> <!-- Private key --> <key>SSLPrivateKey</key> <string>/etc/ssl/private/ssl-cert-snakeoil.key</string> <!-- Process management --> <key>UserName</key> <string>caldavd</string> <key>GroupName</key> <string>caldavd</string> <key>ProcessType</key> <string>Combined</string> <key>MultiProcess</key> <dict> <key>ProcessCount</key> <integer>0</integer> <!-- 0 = larger of: 4 or (2 * CPU count) --> </dict> <!-- Notifications --> <key>Notifications</key> <dict> <!-- Time spent coalescing notifications before delivery --> <key>CoalesceSeconds</key> <integer>3</integer> <key>Services</key> <dict> <key>XMPPNotifier</key> <dict> <!-- XMPP notification service --> <key>Service</key> <string>twistedcaldav.notify.XMPPNotifierService</string> <key>Enabled</key> <false/> <!-- XMPP host and port to contact --> <key>Host</key> <string>xmpp.host.name</string> <key>Port</key> <integer>5222</integer> <!-- Jabber ID and password for the server --> <key>JID</key> <string>j...@xmpp.host.name/resource</string> <key>Password</key> <string>password_goes_here</string> <!-- PubSub service address --> <key>ServiceAddress</key> <string>pubsub.xmpp.host.name</string> </dict> </dict> </dict> <!-- Server-to-server protocol --> <key>Scheduling</key> <dict> <!-- CalDAV protocol options --> <key>CalDAV</key> <dict> <key>EmailDomain</key> <string></string> <key>HTTPDomain</key> <string></string> <key>AddressPatterns</key> <array> </array> </dict> <!-- iSchedule protocol options --> <key>iSchedule</key> <dict> <key>Enabled</key> <false/> <key>AddressPatterns</key> <array> </array> <key>Servers</key> <string>/etc/caldavd/servertoserver.xml</string> </dict> <!-- iMIP protocol options --> <key>iMIP</key> <dict> <key>Enabled</key> <false/> <key>MailGatewayServer</key> <string>localhost</string> <key>MailGatewayPort</key> <integer>62310</integer> <key>Sending</key> <dict> <key>Server</key> <string></string> <key>Port</key> <integer>587</integer> <key>UseSSL</key> <true/> <key>Username</key> <string></string> <key>Password</key> <string></string> <key>Address</key> <string></string> <!-- Address email will be sent from --> </dict> <key>Receiving</key> <dict> <key>Server</key> <string></string> <key>Port</key> <integer>995</integer> <key>Type</key> <string></string> <!-- Either "pop" or "imap" --> <key>UseSSL</key> <true/> <key>Username</key> <string></string> <key>Password</key> <string></string> <key>PollingSeconds</key> <integer>30</integer> </dict> <key>AddressPatterns</key> <array> <string>mailto:.*</string> </array> </dict> </dict> <!-- Free-busy URL protocol --> <key>FreeBusyURL</key> <dict> <key>Enabled</key> <true/> <key>TimePeriod</key> <integer>14</integer> <key>AnonymousAccess</key> <false/> </dict> <!-- Non-standard CalDAV extensions --> <!-- Private Events --> <key>EnablePrivateEvents</key> <true/> <!-- Shared Calendars & Address Books --> <key>Sharing</key> <dict> <key>Enabled</key> <true/> </dict> <!-- Miscellaneous items --> <!-- Web-based administration --> <key>EnableWebAdmin</key> <true/> <!-- Memcached --> <key>Memcached</key> <dict> <key>Pools</key> <dict> <key>Default</key> <dict> <key>ServerEnabled</key> <false/> </dict> </dict> </dict> </dict> </plist> /etc/caldavd/sudoers.plist changed: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>users</key> <array> <!-- Sudo user definitions --> <!-- With the exception of username and password none of the following elements are used in the current implementation. --> <!-- <dict> <key>authorize-as</key> <dict> <key>allow</key> <true/> <key>principals</key> <array> <string>all</string> <string>/principals/user/wsanchez</string> </array> </dict> <key>authorize-from</key> <array> <string>127.0.0.1</string> </array> <key>username</key> <string>admin</string> <key>password</key> <string></string> </dict> --> <dict> <key>username</key> <string>superuser</string> <key>password</key> <string>superuser</string> </dict> </array> </dict> </plist> /etc/default/calendarserver changed: start_calendarserver=yes -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org