Package: calendarserver
Version: 3.2+dfsg-5
Severity: normal
Dear Maintainer,
I've been experiencing with caldavd on a local PostgreSQL database, and found
several issues that can be easily fixed or circumvented.
I'm not really able to decide how much of that really should be fixed upstream.
It can be for sure fixed by packaging or documentation.
(postgresql-9.1, version 9.1.7-1 from wheezy, but that should really not
matter)
1) Peer connection
caldavd.plist extract:
<!-- Database connection -->
<key>UseDatabase</key>
<true/>
<key>DBType</key>
<string>postgres</string>
<key>DSN</key>
<string>:caldavd:caldavd:::</string>
It seems that the initial DB connection gets done while system user is still
'root'. Subsequent ones are done with 'caldavd'. Found a reference to it in
upstream mailing list:
http://lists.macosforge.org/pipermail/calendarserver-dev/2012-November/001564.html
This can be circumvented by letting root perform peer connections as role
'caldavd' through pg_ident.conf
2) Database bootstrap
The parameters of /usr/bin/calendarserver_bootstrap_database are entirely
hardcoded to values that are wrong in the Debian setting
Actual source is in
/usr/lib/python2.7/dist-packages/calendarserver/tools/bootstrapdatabase.py
Extract:
CONNECTNAME = "_postgres"
USERNAME = "caldav"
DATABASENAME = "caldav"
SCHEMAFILE =
"/usr/share/caldavd/lib/python/txdav/common/datastore/sql_schema/current.sql"
What this script does is simply create role & database, then load of the
SCHEMAFILE SQL source file.
On a Debian system, the default PostgreSQL superuser is 'postgres', and that
file lies at
/usr/lib/python2.7/dist-packages/txdav/common/datastore/sql_schema/current.sql
With the Debian way of installing python packages means that it
should not be hardcoded to that location either.
I've been able to bootstrap my database by loading that file manually,
calendarserver seems to work fine, but the bootstrap script seems to also
be able to perform updates, so that it really should be fixed in some way.
Thank you for your attention
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages calendarserver depends on:
ii adduser 3.113+nmu3
ii libc6 2.13-37
ii lsb-base 4.1+Debian9
ii memcached 1.4.13-0.1
ii python 2.7.3-3
ii python-dateutil 1.5+dfsg-0.1
ii python-kerberos 1.1+svn4895-1+b2
ii python-openssl 0.13-2
ii python-plist 1.8-1
ii python-pycalendar 2.0~svn188-1
ii python-pygresql 1:4.0-3
ii python-pysqlite2 2.6.3-3
ii python-sqlparse 0.1.4-1
ii python-twisted-conch 1:12.0.0-1
ii python-twisted-core 12.0.0-1
ii python-twisted-mail 12.0.0-1
ii python-twisted-web 12.0.0-1
ii python-twisted-words 12.0.0-1
ii python-xattr 0.6.4-2
ii python-zope.interface 3.6.1-3
ii ssl-cert 1.0.32
Versions of packages calendarserver recommends:
ii python-ldap 2.4.10-1
ii python-pam 0.4.2-13
calendarserver suggests no packages.
-- Configuration Files:
/etc/caldavd/accounts.xml changed:
<?xml version="1.0" encoding="utf-8"?>
<!--
Copyright (c) 2006-2010 Apple Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE accounts SYSTEM "accounts.dtd">
<accounts realm="Test Realm">
<user>
<uid>admin</uid>
<guid>ADMIN</guid>
<password>admin</password>
<name>Super User</name>
</user>
<user>
<uid>test</uid>
<password>test</password>
<name>Test User</name>
</user>
<group>
<uid>users</uid>
<password>users</password>
<name>Users Group</name>
<members>
<member type="users">test</member>
</members>
</group>
<location>
<uid>mercury</uid>
<password>mercury</password>
<name>Mecury Conference Room, Building 1, 2nd Floor</name>
</location>
</accounts>
/etc/caldavd/caldavd.plist changed:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2006-2011 Apple Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<!--
Public network address information
This is the server's public network address, which is provided to
clients in URLs and the like. It may or may not be the network
address that the server is listening to directly, though it is by
default. For example, it may be the address of a load balancer or
proxy which forwards connections to the server.
-->
<!-- Network host name [empty = system host name] -->
<key>ServerHostName</key>
<string></string> <!-- The hostname clients use when connecting -->
<!-- HTTP port [0 = disable HTTP] -->
<key>HTTPPort</key>
<integer>8008</integer>
<!-- SSL port [0 = disable HTTPS] -->
<!-- (Must also configure SSLCertificate and SSLPrivateKey below) -->
<!--
<key>SSLPort</key>
<integer>8443</integer>
<key>EnableSSL</key>
<true/>
-->
<!-- Redirect non-SSL ports to an SSL port (if configured for SSL) -->
<key>RedirectHTTPToHTTPS</key>
<false/>
<!--
Network address configuration information
This configures the actual network address that the server binds to.
-->
<!-- List of IP addresses to bind to [empty = all] -->
<key>BindAddresses</key>
<array>
</array>
<!-- List of port numbers to bind to for HTTP [empty = same as "Port"] -->
<key>BindHTTPPorts</key>
<array>
</array>
<!-- List of port numbers to bind to for SSL [empty = same as "SSLPort"] -->
<key>BindSSLPorts</key>
<array>
</array>
<!--
Data Store
-->
<!-- Server root -->
<key>ServerRoot</key>
<string>/var/lib/caldavd</string>
<!-- Database connection -->
<key>UseDatabase</key>
<true/>
<key>DBType</key>
<string>postgres</string>
<key>DSN</key>
<string>:caldavd:caldavd:::</string>
<!-- Data root -->
<!-- key>DataRoot</key>
<string>/var/lib/caldavd</string -->
<!-- Document root -->
<key>DocumentRoot</key>
<string>/var/spool/caldavd</string>
<!-- Configuration root -->
<key>ConfigRoot</key>
<string>/etc/caldavd</string>
<!-- Run root -->
<key>RunRoot</key>
<string>/var/run/caldavd</string>
<!-- Child aliases -->
<key>Aliases</key>
<dict>
<!--
<key>foo</key>
<dict>
<key>path</key>
<string>/path/to/foo</string>
</dict>
-->
</dict>
<!--
Quotas and limits
-->
<!-- User quota (in bytes) [0 = no quota] applies to attachments only -->
<key>UserQuota</key>
<integer>104857600</integer> <!-- 100Mb -->
<!-- Maximum number of calendars/address books allowed in a home -->
<!-- 0 for no limit -->
<key>MaxCollectionsPerHome</key>
<integer>50</integer>
<!-- Maximum number of resources in a calendar/address book -->
<!-- 0 for no limit -->
<key>MaxResourcesPerCollection</key>
<integer>10000</integer>
<!-- Maximum resource size (in bytes) -->
<key>MaxResourceSize</key>
<integer>1048576</integer> <!-- 1Mb -->
<!-- Maximum number of unique attendees per entire event -->
<!-- 0 for no limit -->
<key>MaxAttendeesPerInstance</key>
<integer>100</integer>
<!-- Maximum number of instances allowed during expansion -->
<!-- 0 for no limit -->
<key>MaxAllowedInstances</key>
<integer>3000</integer>
<!-- Maximum number of instances allowed for a single RRULE -->
<!-- 0 for no limit -->
<key>MaxInstancesForRRULE</key>
<integer>400</integer>
<!-- NSS Directory Service -->
<!-- Groups starting with groupPrefix are considered calendarserver groups
-->
<!-- Don't treat user id's smaller than firstValidUid as calendarserver
users -->
<!-- Don't treat group id's smaller than firstValidGid as calendarserver
groups -->
<!-- use shortName@mailDomain as calender user mail addresses -->
<!--
<key>DirectoryService</key>
<dict>
<key>type</key>
<string>twistedcaldav.directory.nss.NssDirectoryService</string>
<key>params</key>
<dict>
<key>realmName</key>
<string>Test Realm</string>
<key>groupPrefix</key>
<string>caldavd-</string>
<key>firstValidUid</key>
<integer>1000</integer>
<key>lastValidUid</key>
<integer>65533</integer>
<key>firstValidGid</key>
<integer>1000</integer>
<key>lastValidGid</key>
<integer>65533</integer>
<key>mailDomain</key>
<string>example.com</string>
<key>cacheTimeout</key>
<integer>30</integer>
</dict>
</dict>
-->
<!--
Directory service
A directory service provides information about principals (eg.
users, groups, locations and resources) to the server.
A variety of directory services are available for use.
-->
<!-- XML File Directory Service -->
<key>DirectoryService</key>
<dict>
<key>type</key>
<string>twistedcaldav.directory.xmlfile.XMLDirectoryService</string>
<key>params</key>
<dict>
<key>xmlFile</key>
<string>/etc/caldavd/accounts.xml</string>
</dict>
</dict>
<!-- Open Directory Service (Mac OS X) -->
<!--
<key>DirectoryService</key>
<dict>
<key>type</key>
<string>twistedcaldav.directory.appleopendirectory.OpenDirectoryService</string>
<key>params</key>
<dict>
<key>node</key>
<string>/Search</string>
<key>cacheTimeout</key>
<integer>30</integer>
</dict>
</dict>
-->
<!-- OpenLDAP Directory Service -->
<!--
<key>DirectoryService</key>
<dict>
<key>type</key>
<string>twistedcaldav.directory.ldapdirectory.LdapDirectoryService</string>
<key>params</key>
<dict>
<key>restrictEnabledRecords</key>
<false/>
<key>restrictToGroup</key>
<string></string>
<key>cacheTimeout</key>
<integer>30</integer>
<key>uri</key>
<string>ldap://example.com/</string>
<key>tls</key>
<false/>
<key>tlsCACertFile</key>
<string></string>
<key>tlsCACertDir</key>
<string></string>
<key>tlsRequireCert</key>
<string>never</string>
<key>credentials</key>
<dict>
<key>dn</key>
<string></string>
<key>password</key>
<string></string>
</dict>
<key>authMethod</key>
<string>LDAP</string>
<key>rdnSchema</key>
<dict>
<key>base</key>
<string>dc=example,dc=com</string>
<key>guidAttr</key>
<string>entryUUID</string>
<key>users</key>
<dict>
<key>rdn</key>
<string>ou=People</string>
<key>attr</key>
<string>uid</string>
<key>emailSuffix</key>
<string></string>
<key>filter</key>
<string></string>
<key>loginEnabledAttr</key>
<string></string>
<key>loginEnabledValue</key>
<string>yes</string>
<key>mapping</key>
<dict>
<key>recordName</key>
<string>uid</string>
<key>fullName</key>
<string>cn</string>
<key>emailAddresses</key>
<string>mail</string>
<key>firstName</key>
<string>givenName</string>
<key>lastName</key>
<string>sn</string>
</dict>
</dict>
<key>groups</key>
<dict>
<key>rdn</key>
<string>ou=Group</string>
<key>attr</key>
<string>cn</string>
<key>emailSuffix</key>
<string></string>
<key>filter</key>
<string></string>
<key>mapping</key>
<dict>
<key>recordName</key>
<string>cn</string>
<key>fullName</key>
<string>cn</string>
<key>emailAddresses</key>
<string>mail</string>
<key>firstName</key>
<string>givenName</string>
<key>lastName</key>
<string>sn</string>
</dict>
</dict>
</dict>
<key>groupSchema</key>
<dict>
<key>membersAttr</key>
<string>member</string>
<key>nestedGroupsAttr</key>
<string></string>
<key>memberIdAttr</key>
<string></string>
</dict>
<key>resourceSchema</key>
<dict>
<key>resourceInfoAttr</key>
<string></string>
<key>autoScheduleAttr</key>
<string></string>
<key>autoScheduleEnabledValue</key>
<string>yes</string>
<key>proxyAttr</key>
<string></string>
<key>readOnlyProxyAttr</key>
<string></string>
</dict>
</dict>
</dict>
-->
<!-- Resource and Location Service -->
<key>ResourceService</key>
<dict>
<key>Enabled</key>
<true/>
<key>type</key>
<string>twistedcaldav.directory.xmlfile.XMLDirectoryService</string>
<key>params</key>
<dict>
<key>xmlFile</key>
<string>/etc/caldavd/resources.xml</string>
</dict>
</dict>
<!--
Special principals
These principals are granted special access and/or perform
special roles on the server.
-->
<!-- Principals with "DAV:all" access (relative URLs) -->
<key>AdminPrincipals</key>
<array>
<string>/principals/__uids__/ADMIN/</string>
</array>
<!-- Principals with "DAV:read" access (relative URLs) -->
<key>ReadPrincipals</key>
<array>
<!--
<string>/principals/__uids__/983C8238-FB6B-4D92-9242-89C0A39E5F81/</string> -->
</array>
<!-- Create "proxy access" principals -->
<key>EnableProxyPrincipals</key>
<true/>
<!--
Permissions
-->
<!-- Anonymous read access for root resource -->
<key>EnableAnonymousReadRoot</key>
<true/>
<!-- Anonymous read access for resource hierarchy -->
<key>EnableAnonymousReadNav</key>
<false/>
<!-- Enables directory listings for principals -->
<key>EnablePrincipalListings</key>
<false/>
<!-- Render calendar collections as a monolithic iCalendar object -->
<key>EnableMonolithicCalendars</key>
<true/>
<!--
Authentication
-->
<key>Authentication</key>
<dict>
<!-- Clear text; best avoided -->
<key>Basic</key>
<dict>
<key>Enabled</key>
<false/>
</dict>
<!-- Digest challenge/response -->
<key>Digest</key>
<dict>
<key>Enabled</key>
<true/>
<key>Algorithm</key>
<string>md5</string>
<key>Qop</key>
<string></string>
</dict>
<!-- Kerberos/SPNEGO -->
<key>Kerberos</key>
<dict>
<key>Enabled</key>
<true/>
<key>ServicePrincipal</key>
<string></string>
</dict>
</dict>
<!--
Logging
-->
<!-- Log root -->
<key>LogRoot</key>
<string>/var/log/caldavd</string>
<!-- Apache-style access log -->
<key>AccessLogFile</key>
<string>access.log</string>
<key>RotateAccessLog</key>
<true/>
<!-- Server activity log -->
<key>ErrorLogFile</key>
<string>error.log</string>
<!-- Log levels -->
<key>DefaultLogLevel</key>
<string>warn</string> <!-- debug, info, warn, error -->
<!-- Global server stats -->
<key>GlobalStatsSocket</key>
<string>caldavd-stats.sock</string>
<!-- Server process ID file -->
<key>PIDFile</key>
<string>caldavd.pid</string>
<!--
SSL/TLS
-->
<!-- Public key -->
<key>SSLCertificate</key>
<string>/etc/ssl/certs/ssl-cert-snakeoil.pem</string>
<!-- SSL authority chain (for intermediate certs) -->
<key>SSLAuthorityChain</key>
<string></string>
<!-- Private key -->
<key>SSLPrivateKey</key>
<string>/etc/ssl/private/ssl-cert-snakeoil.key</string>
<!--
Process management
-->
<key>UserName</key>
<string>caldavd</string>
<key>GroupName</key>
<string>caldavd</string>
<key>ProcessType</key>
<string>Combined</string>
<key>MultiProcess</key>
<dict>
<key>ProcessCount</key>
<integer>0</integer> <!-- 0 = larger of: 4 or (2 * CPU count) -->
</dict>
<!--
Notifications
-->
<key>Notifications</key>
<dict>
<!-- Time spent coalescing notifications before delivery -->
<key>CoalesceSeconds</key>
<integer>3</integer>
<key>Services</key>
<dict>
<key>XMPPNotifier</key>
<dict>
<!-- XMPP notification service -->
<key>Service</key>
<string>twistedcaldav.notify.XMPPNotifierService</string>
<key>Enabled</key>
<false/>
<!-- XMPP host and port to contact -->
<key>Host</key>
<string>xmpp.host.name</string>
<key>Port</key>
<integer>5222</integer>
<!-- Jabber ID and password for the server -->
<key>JID</key>
<string>j...@xmpp.host.name/resource</string>
<key>Password</key>
<string>password_goes_here</string>
<!-- PubSub service address -->
<key>ServiceAddress</key>
<string>pubsub.xmpp.host.name</string>
</dict>
</dict>
</dict>
<!--
Server-to-server protocol
-->
<key>Scheduling</key>
<dict>
<!-- CalDAV protocol options -->
<key>CalDAV</key>
<dict>
<key>EmailDomain</key>
<string></string>
<key>HTTPDomain</key>
<string></string>
<key>AddressPatterns</key>
<array>
</array>
</dict>
<!-- iSchedule protocol options -->
<key>iSchedule</key>
<dict>
<key>Enabled</key>
<false/>
<key>AddressPatterns</key>
<array>
</array>
<key>Servers</key>
<string>/etc/caldavd/servertoserver.xml</string>
</dict>
<!-- iMIP protocol options -->
<key>iMIP</key>
<dict>
<key>Enabled</key>
<false/>
<key>MailGatewayServer</key>
<string>localhost</string>
<key>MailGatewayPort</key>
<integer>62310</integer>
<key>Sending</key>
<dict>
<key>Server</key>
<string></string>
<key>Port</key>
<integer>587</integer>
<key>UseSSL</key>
<true/>
<key>Username</key>
<string></string>
<key>Password</key>
<string></string>
<key>Address</key>
<string></string> <!-- Address email will be sent from -->
</dict>
<key>Receiving</key>
<dict>
<key>Server</key>
<string></string>
<key>Port</key>
<integer>995</integer>
<key>Type</key>
<string></string> <!-- Either "pop" or "imap" -->
<key>UseSSL</key>
<true/>
<key>Username</key>
<string></string>
<key>Password</key>
<string></string>
<key>PollingSeconds</key>
<integer>30</integer>
</dict>
<key>AddressPatterns</key>
<array>
<string>mailto:.*</string>
</array>
</dict>
</dict>
<!--
Free-busy URL protocol
-->
<key>FreeBusyURL</key>
<dict>
<key>Enabled</key>
<true/>
<key>TimePeriod</key>
<integer>14</integer>
<key>AnonymousAccess</key>
<false/>
</dict>
<!--
Non-standard CalDAV extensions
-->
<!-- Private Events -->
<key>EnablePrivateEvents</key>
<true/>
<!-- Shared Calendars & Address Books -->
<key>Sharing</key>
<dict>
<key>Enabled</key>
<true/>
</dict>
<!--
Miscellaneous items
-->
<!-- Web-based administration -->
<key>EnableWebAdmin</key>
<true/>
<!-- Memcached -->
<key>Memcached</key>
<dict>
<key>Pools</key>
<dict>
<key>Default</key>
<dict>
<key>ServerEnabled</key>
<false/>
</dict>
</dict>
</dict>
</dict>
</plist>
/etc/caldavd/sudoers.plist changed:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>users</key>
<array>
<!-- Sudo user definitions -->
<!-- With the exception of username and password none of the following
elements are used in the current implementation. -->
<!--
<dict>
<key>authorize-as</key>
<dict>
<key>allow</key>
<true/>
<key>principals</key>
<array>
<string>all</string>
<string>/principals/user/wsanchez</string>
</array>
</dict>
<key>authorize-from</key>
<array>
<string>127.0.0.1</string>
</array>
<key>username</key>
<string>admin</string>
<key>password</key>
<string></string>
</dict>
-->
<dict>
<key>username</key>
<string>superuser</string>
<key>password</key>
<string>superuser</string>
</dict>
</array>
</dict>
</plist>
/etc/default/calendarserver changed:
start_calendarserver=yes
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
