[Calendarserver-maintainers] Bug#499963: Bug#499963: calendarserver: caldavd fails to authenticate and autocreate principal when running with NssDirectoryService

Guido Günther agx at sigxcpu.org
Thu Oct 2 07:31:30 UTC 2008

On Wed, Oct 01, 2008 at 04:24:58PM -0700, Ben Poliakoff wrote:
> Alright I see what's going on.  The NssDirectoryService is required by
> the DirectoryService class to support three methods:
>     recordTypes()
>     listRecords()
>     recordWithShortName()
Thanks for debugging this! Now that we knew that the xml service works I
was about to let you add debug code that prints out the users found in
listRecords but you found out yourself already.

> My server is configured to use files and LDAP for NSS calls.  We have
> several thousand users in our LDAP directory and implement the default
> limit of 500 search results.  As a result 'getent passwd' returns
> a subset of all valid accounts (not including the 'benp' account).
Yes, the nss service is basically meant for smaller installations as a
quick means of not having double account maintenance, it's far to slow
for that many users (calendarsever itself will have problems with this
itlself - at least in 1.2).

This can be used if only a few users need a calendar: add an hasCalendar
attribute to every PosixAccount and filter in libnss-ldap by using the

nss_base_passwd   base?scope?hasCalendar=True

(in case you use a separate machine for the calendar server). I'm doing
something similar to cut down on the number of groups being looked at.

> I think I might take a stab at writing a generic LDAPDirectoryService
> using your NssDirectoryService as an example.
There's already code in the calendarserver.org bugtracker for that. It
might be worth testing it out and reporting back.

> So in the end this isn't really a bug with NssDirectoryService; but it's
> probably worth noting in the documentation that NssDirectoryService will
> only work properly within an environment where *all* valid users can be
> retrieved via the equivalent of 'getent passwd'.  
I'll add that, thanks.

> Sorry for the trouble, and thanks for your time!
Thanks for debugging this.
 -- Guido

More information about the Calendarserver-maintainers mailing list