|

»

Calendar Server

»

Calendar Server - Users

CalDAVClientLibrary Kerberos authentication

View: New views

4 Messages — Rating Filter: Alert me

	CalDAVClientLibrary Kerberos authentication by Ramon Ziai :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi caldavd users, I was looking for a way to manage ACLs on individual calendars and came across CalDAVClientLibrary. I assume that's the recommended way of managing ACLs, is that correct? However, it seems CalDAVClientLibrary does not support Kerberos authentication. Our caldavd installation runs on Debian Lenny, using the Debian package. It is configured to use Kerberos for authentication, which works well with all calendar clients. But when I run the shell tool, I get: ./runshell.py -l --server https://server:8443 User: rziai Password: <-------- BEGIN HTTP CONNECTION --------> Server: limnos <-------- BEGIN HTTP REQUEST --------> OPTIONS /principals/users/rziai/ HTTP/1.1 Host: limnos <-------- BEGIN HTTP RESPONSE --------> HTTP/1.1 401 Unauthorized Content-Length: 141 Server: Twisted/8.1.0 TwistedWeb/[twisted.web2, version 0.2.0] DAV: 1, access-control, calendar-access, calendar-schedule, calendar-availability, inbox-availability, calendar-proxy Date: Fri, 17 Apr 2009 14:11:26 GMT Content-Type: text/html WWW-Authenticate: negotiate <html><head><title>Unauthorized</title></head><body><h1>Unauthorized</h1><p>You are not authorized to access this resource.</p></body></html> <-------- END HTTP RESPONSE --------> <-------- END HTTP CONNECTION --------> Ignoring error If it supported Kerberos, it shouldn't even ask for a password and instead just use the ticket I already have in my ticket cache. Any hints would be appreciated. Best, Ramon _______________________________________________ calendarserver-users mailing list calendarserver-users@... http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users signature.asc (268 bytes) Download Attachment
	Re: CalDAVClientLibrary Kerberos authentication by Georg Troska :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I have the same problem on Ubuntu Intrepid. I think it should work with clear text passwords and sudoers, but these may not be enabled at the same time. I tried to enable clear passwords for the configuration, but I was not able to change something. Are you? Let me know if you find something out Thanks George Am 17.04.2009 um 16:15 schrieb Ramon Ziai: > Hi caldavd users, > > I was looking for a way to manage ACLs on individual calendars and > came > across CalDAVClientLibrary. I assume that's the recommended way of > managing ACLs, is that correct? > > However, it seems CalDAVClientLibrary does not support Kerberos > authentication. Our caldavd installation runs on Debian Lenny, using > the > Debian package. It is configured to use Kerberos for authentication, > which works well with all calendar clients. But when I run the shell > tool, I get: > > ./runshell.py -l --server https://server:8443 > User: rziai > Password: > > <-------- BEGIN HTTP CONNECTION --------> > Server: limnos > > <-------- BEGIN HTTP REQUEST --------> > OPTIONS /principals/users/rziai/ HTTP/1.1 > Host: limnos > > > <-------- BEGIN HTTP RESPONSE --------> > HTTP/1.1 401 Unauthorized > Content-Length: 141 > Server: Twisted/8.1.0 TwistedWeb/[twisted.web2, version 0.2.0] > DAV: 1, access-control, calendar-access, calendar-schedule, > calendar-availability, inbox-availability, calendar-proxy > Date: Fri, 17 Apr 2009 14:11:26 GMT > Content-Type: text/html > WWW-Authenticate: negotiate > <html><head><title>Unauthorized</title></ > head><body><h1>Unauthorized</h1><p>You > are not authorized to access this resource.</p></body></html> > <-------- END HTTP RESPONSE --------> > > <-------- END HTTP CONNECTION --------> > Ignoring error > > > If it supported Kerberos, it shouldn't even ask for a password and > instead just use the ticket I already have in my ticket cache. > > Any hints would be appreciated. > > Best, > Ramon > > _______________________________________________ > calendarserver-users mailing list > calendarserver-users@... > http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users _______________________________________________ calendarserver-users mailing list calendarserver-users@... http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users
	Re: CalDAVClientLibrary Kerberos authentication by Ramon Ziai :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi Georg, Georg Troska schrieb: > I have the same problem on Ubuntu Intrepid. I think it should work with > clear text passwords and sudoers, but these may not be enabled at the > same time. > > I tried to enable clear passwords for the configuration, but I was not > able to change something. Are you? that doesn't seem to work for me either. And it's a hack at best to add another less secure authentication method in order to change ACLs. Are there any plans to add Kerberos authentication to CalDAVClientLibrary? If not, I'd be willing to start hacking on that. I'm assuming I just have to add another Authenticator in protocol.http.authentication that implements the necessary methods and calls the authGSSClient* functions? Best, Ramon _______________________________________________ calendarserver-users mailing list calendarserver-users@... http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users signature.asc (268 bytes) Download Attachment
	Re: CalDAVClientLibrary Kerberos authentication by Ramon Ziai :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi all, I've written some code for this problem and attached it to the following ticket: https://trac.calendarserver.org/ticket/334 This patch enables Kerberos authentication for CalDAVClientLibrary using the PyKerberos binding. It worked for me but please test whether it does so for you. The "kerberos" import is assumed to be available in the PythonPath. User and password are prompted for by the program but are not required for kerberos authentication. Best, Ramon Ramon Ziai schrieb: > Hi Georg, > > Georg Troska schrieb: > >> I have the same problem on Ubuntu Intrepid. I think it should work with >> clear text passwords and sudoers, but these may not be enabled at the >> same time. >> >> I tried to enable clear passwords for the configuration, but I was not >> able to change something. Are you? > > that doesn't seem to work for me either. And it's a hack at best to add > another less secure authentication method in order to change ACLs. > > Are there any plans to add Kerberos authentication to CalDAVClientLibrary? > > If not, I'd be willing to start hacking on that. I'm assuming I just > have to add another Authenticator in protocol.http.authentication that > implements the necessary methods and calls the authGSSClient* functions? > > Best, > Ramon > > > > ------------------------------------------------------------------------ > > _______________________________________________ > calendarserver-users mailing list > calendarserver-users@... > http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users _______________________________________________ calendarserver-users mailing list calendarserver-users@... http://lists.macosforge.org/mailman/listinfo.cgi/calendarserver-users signature.asc (268 bytes) Download Attachment