[Calendarserver-maintainers] Bug#499963: Bug#499963: calendarserver: caldavd fails to authenticate and autocreate principal when running with NssDirectoryService
Ben Poliakoff
benp at reed.edu
Wed Oct 1 23:24:58 UTC 2008
Alright I see what's going on. The NssDirectoryService is required by
the DirectoryService class to support three methods:
recordTypes()
listRecords()
recordWithShortName()
My server is configured to use files and LDAP for NSS calls. We have
several thousand users in our LDAP directory and implement the default
limit of 500 search results. As a result 'getent passwd' returns
a subset of all valid accounts (not including the 'benp' account).
'getent passwd benp' returns the entry for the 'benp' account just
fine; and when I manually add the result of 'getent passwd benp'
to /etc/passwd I'm finally able to connect with Lightning via
Kerberos/Negotiate auth as 'benp'. The principal is autocreated and I'm
able to read and write to the calendar.
But a DirectoryService subclass is required to support a function
(listRecords) that returns *all* valid accounts. This just isn't
compatible with our NSS environment.
I think I might take a stab at writing a generic LDAPDirectoryService
using your NssDirectoryService as an example.
So in the end this isn't really a bug with NssDirectoryService; but it's
probably worth noting in the documentation that NssDirectoryService will
only work properly within an environment where *all* valid users can be
retrieved via the equivalent of 'getent passwd'.
Sorry for the trouble, and thanks for your time!
Ben
--
________________________________________________________________________
PGP fingerprint: A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/calendarserver-maintainers/attachments/20081001/e1f44e6e/attachment.pgp
More information about the Calendarserver-maintainers
mailing list