[Calendarserver-maintainers] Bug#499963: Bug#499963: calendarserver: caldavd fails to authenticate and autocreate principal when running with NssDirectoryService

[Ben Poliakoff]

Alright I see what's going on.  The NssDirectoryService is required by
the DirectoryService class to support three methods:

    recordTypes()
    listRecords()
    recordWithShortName()

My server is configured to use files and LDAP for NSS calls.  We have
several thousand users in our LDAP directory and implement the default
limit of 500 search results.  As a result 'getent passwd' returns
a subset of all valid accounts (not including the 'benp' account).

'getent passwd benp' returns the entry for the 'benp' account just
fine; and when I manually add the result of 'getent passwd benp'
to /etc/passwd I'm finally able to connect with Lightning via
Kerberos/Negotiate auth as 'benp'.  The principal is autocreated and I'm
able to read and write to the calendar.

But a DirectoryService subclass is required to support a function
(listRecords) that returns *all* valid accounts.  This just isn't
compatible with our NSS environment.

I think I might take a stab at writing a generic LDAPDirectoryService
using your NssDirectoryService as an example.

So in the end this isn't really a bug with NssDirectoryService; but it's
probably worth noting in the documentation that NssDirectoryService will
only work properly within an environment where *all* valid users can be
retrieved via the equivalent of 'getent passwd'.  

Sorry for the trouble, and thanks for your time!

Ben

-- 
________________________________________________________________________
PGP fingerprint:      A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/calendarserver-maintainers/attachments/20081001/e1f44e6e/attachment.pgp