[Davical-general] Permissions, ldap, multiple calendars

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Davical-general] Permissions, ldap, multiple calendars

Bobby Krupczak
Hi!

I turned on more debugging and think I figured out permissions
problems.

I previously had granted users and groups access to my personal
calendar but those users could still not access it.

It seems that for others to access my calenars, I have to grant them
some sort of access to my principal resource.

I'm testing on iPhone/iPad.

Is this normal for DAViCal or is this a bug in the client?

Also, whats the minimum permissions I can get away with giving to my
principal resource?

Is there a config workaround?

Thanks,

Bobby


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general
Reply | Threaded
Open this post in threaded view
|

Re: Permissions, ldap, multiple calendars

Ján Máté-2
>From the Wiki:

http://wiki.davical.org/w/Setup_for_Apple_Users#iCal_handles_principal_grants.2C_not_collection_grants

Notable Issues

iCal handles principal grants, not collection grants
So you need to restrict access at the collection level after granting broader access at the principal level, and users may still see delegated calendars that they cannot actually read and/or write to.

JM

On May 14, 2012, at 5:26 PM, Bobby Krupczak wrote:

> Hi!
>
> I turned on more debugging and think I figured out permissions
> problems.
>
> I previously had granted users and groups access to my personal
> calendar but those users could still not access it.
>
> It seems that for others to access my calenars, I have to grant them
> some sort of access to my principal resource.
>
> I'm testing on iPhone/iPad.
>
> Is this normal for DAViCal or is this a bug in the client?
>
> Also, whats the minimum permissions I can get away with giving to my
> principal resource?
>
> Is there a config workaround?
>
> Thanks,
>
> Bobby
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Davical-general mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/davical-general


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general
Reply | Threaded
Open this post in threaded view
|

Re: Permissions, ldap, multiple calendars

Bobby Krupczak
Hi!

> http://wiki.davical.org/w/Setup_for_Apple_Users#iCal_handles_principal_grants.2C_not_collection_grants 

> iCal handles principal grants, not collection grants
> So you need to restrict access at the collection level after
> granting broader access at the principal level, and users may still
> see delegated calendars that they cannot actually read and/or write
> to.

I see that now.  I previously read this doc, last week, but it did not
make much sense given my lack of understanding of the overall
permission model.  I'm just now kinda figuring out what principals,
users, etc. are and by poking my way through it.

By the by, I got an ipad/iphone work but am struggling with
thunderbird/lightning.  

Are there similar issues with thunderbird/lightning?  I granted
principal permission to a user along with calendar permissions but
that user cannot see any calendars.

Does a user have to specifically grant him or herself permissions to
his/her calendars?

Thanks,

Bobby


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general
Reply | Threaded
Open this post in threaded view
|

Re: Permissions, ldap, multiple calendars

Andrew McMillan
On Mon, 2012-05-14 at 16:37 -0400, Bobby Krupczak wrote:

> Hi!
>
> > http://wiki.davical.org/w/Setup_for_Apple_Users#iCal_handles_principal_grants.2C_not_collection_grants 
>
> > iCal handles principal grants, not collection grants
> > So you need to restrict access at the collection level after
> > granting broader access at the principal level, and users may still
> > see delegated calendars that they cannot actually read and/or write
> > to.
>
> I see that now.  I previously read this doc, last week, but it did not
> make much sense given my lack of understanding of the overall
> permission model.  I'm just now kinda figuring out what principals,
> users, etc. are and by poking my way through it.
>
> By the by, I got an ipad/iphone work but am struggling with
> thunderbird/lightning.  
>
> Are there similar issues with thunderbird/lightning?  I granted
> principal permission to a user along with calendar permissions but
> that user cannot see any calendars.
Yes.  Although Lightning is configured on a calendar by calendar basis,
for some reason it still makes a request against the Principal URL and
so needs the permission "read current user privileges" on there.  That's
a lot less privilege than 'read' though.


> Does a user have to specifically grant him or herself permissions to
> his/her calendars?

No: there is no way to restrict an owner from accessing their own
collections.

Cheers,
                                        Andrew.
--
------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com                            +64(272)DEBIAN
                        VMS must die!
------------------------------------------------------------------------


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Permissions, ldap, multiple calendars

Bobby Krupczak
Hi!

> Yes.  Although Lightning is configured on a calendar by calendar basis,
> for some reason it still makes a request against the Principal URL and
> so needs the permission "read current user privileges" on there.  That's
> a lot less privilege than 'read' though.
>
>
> > Does a user have to specifically grant him or herself permissions to
> > his/her calendars?
>
> No: there is no way to restrict an owner from accessing their own
> collections.

Thanks!!

The other thing I found out the hard way (before finding a blurb about
it in the mailing list archives) is that Lightning is very very
sensitive to the URL.

When configuring iOS devices, I can drop the default /calendar from
the URL and they seem to work.  If I do this with Lightning, it spin
loops, pounding away at my webserver.  Yuck.

Finally got all this figured out and have multiple calendars accessed
by multiple users and multiple platforms.

Thanks,

Bobby


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general