Apple MacOSXServer ICal Service Administration User Manual Mac OSXServerv10.5 I Cal Admin 10.5
User Manual: Apple MacOSXServer MacOSXServerv10.5-iCalServiceAdministration
Open the PDF directly: View PDF .
Page Count: 38
Download | |
Open PDF In Browser | View PDF |
Mac OS X Server iCal Service Administration For Version 10.5 Leopard K Apple Inc. © 2007 Apple Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Every effort has been made to ensure that the information in this manual is accurate. Apple is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com Apple, the Apple logo, iCal, Mac, Macintosh, the Mac logo, Mac OS, QuickTime, Xgrid, Xsan, an d Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Finder is a trademark of Apple Inc. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products. Simultaneously published in the United States and Canada. 019-0940/2007-09-01 1 Preface 5 5 5 6 7 7 8 8 Contents About This Guide What’s in This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information Chapter 1 9 9 10 10 11 11 11 12 Understanding iCal Service iCal Service Features Open Standards Directory and Client Integration Service Scalability Client Applications That Integrate with iCal Service Third-Party Applications iCal Service In Action Chapter 2 13 13 13 14 15 15 16 16 16 17 17 17 18 19 19 Setting Up and Managing iCal Service Minimum Requirements Setting Up iCal Service Enabling iCal Service for Administration Starting or Stopping iCal Service Administration Changing iCal Service Administration Settings Setting the iCal Service Host Name Setting the iCal Service Port Number Changing the Calendar Data Store Location Changing the Calendar Attachment Limit Changing Calendar User Quotas Enabling iCal Service for a User or Group Defining Who Can View or Edit Group Calendars Defining Who Can View or Edit User Calendars Configuring Security for iCal Service 3 4 19 20 20 21 21 21 21 22 22 23 Choosing and Enabling Secure Authentication for iCal Service Configuring and Enabling Secure Network Traffic for iCal Service Monitoring iCal service Viewing iCal Service Vital Statistics Viewing iCal Service Logs Maintaining iCal Service Understanding iCal Service Administration Configuration Files Understanding Calendar Files Backing Up and Restoring Calendar Files Deleting Unused Calendars Chapter 3 25 25 27 28 29 29 29 Advanced iCal Service Information Understanding Service Implementation Details Understanding the Data Store File Hierarchy Getting the Source Code Where to Go for Additional Information Related Web Sites Standards Documents Glossary 31 Index 37 Contents Preface About This Guide This guide shows you how to set up and maintain networked calendars for your organization using iCal service, the calendar service for Mac OS X Server. You will find information about setting up, managing, maintaining, and monitoring iCal service to use Apple’s iCal application or other CalDAV compliant calendar application, to access and share calendar events. What’s in This Guide This guide includes the following chapters:  Chapter 1, “Understanding iCal Service,” provides an overview of iCal service and how it is used.  Chapter 2, “Setting Up and Managing iCal Service,” provides instructions for setting up and managing iCal.  Chapter 3, “Advanced iCal Service Information,” provides detailed implementation information about the service. Note: Because Apple frequently releases new versions and updates to its software, images shown in this book may be different from what you see on your screen. Using Onscreen Help You can get task instructions onscreen in Help Viewer while you’re managing Leopard Server. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Leopard Server administration software installed on it.) To get help for an advanced configuration of Leopard Server: m Open Server Admin or Workgroup Manager and then:  Use the Help menu to search for a task you want to perform. 5  Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse and search the help topics. The onscreen help contains instructions taken from Server Administration and other advanced administration guides described in “Mac OS X Server Administration Guides,” next. To see the most recent server help topics: m Make sure the server or administrator computer is connected to the Internet while you’re getting help. Help Viewer automatically retrieves and caches the most recent server help topics from the Internet. When not connected to the Internet, Help Viewer displays cached help topics. Mac OS X Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.com/server/documentation 6 This guide... tells you how to: Getting Started and Mac OS X Server Worksheet Install Mac OS X Server and set it up for the first time. Command-Line Administration Install, set up, and manage Mac OS X Server using UNIX commandline tools and configuration files. File Services Administration Share selected server volumes or folders among server clients using the AFP, NFS, FTP, and SMB protocols. iCal Service Administration Set up and manage iCal shared calendar service. iChat Service Administration Set up and manage iChat instant messaging service. Mac OS X Security Configuration Make Mac OS X computers (clients) more secure, as required by enterprise and government customers. Mac OS X Server Security Configuration Make Mac OS X Server and the computer it’s installed on more secure, as required by enterprise and government customers. Mail Service Administration Set up and manage IMAP, POP, and SMTP mail services on the server. Network Services Administration Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall, NAT, and RADIUS services on the server. Open Directory Administration Set up and manage directory and authentication services, and configure clients to access directory services. Preface About This Guide This guide... tells you how to: Podcast Producer Administration Set up and manage Podcast Producer service to record, process, and distribute podcasts. Print Service Administration Host shared printers and manage their associated queues and print jobs. QuickTime Streaming and Broadcasting Administration Capture and encode QuickTime content. Set up and manage QuickTime streaming service to deliver media streams live or on demand. Server Administration Perform advanced installation and setup of server software, and manage options that apply to multiple services or to the server as a whole. System Imaging and Software Update Administration Use NetBoot, NetInstall, and Software Update to automate the management of operating system and other software used by client computers. Upgrading and Migrating Use data and service settings from an earlier version of Mac OS X Server or Windows NT. User Management Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Web Technologies Administration Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Xgrid Administration and High Performance Computing Set up and manage computational clusters of Xserve systems and Mac computers. Mac OS X Server Glossary Learn about terms used for server and storage products. Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen:  Show bookmarks to see the guide’s outline, and click a bookmark to jump to the corresponding section.  Search for a word or phrase to see a list of places where it appears in the document. Click a listed place to see the page where it occurs.  Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser. Printing PDF Guides If you want to print a guide, you can take these steps to save paper and ink:  Save ink or toner by not printing the cover page.  Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white. Preface About This Guide 7  Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your printer supports two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from the Border menu. (If you’re using Mac OS X v10.4 or earlier, the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog.) You may want to enlarge the printed pages even if you don’t print double sided, because the PDF page size is smaller than standard printer paper. In the Print dialog or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CDsize pages). Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides.  To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click “Latest help topics” or “Staying current” in the main help page for the application.  To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.com/server/documentation Getting Additional Information For more information, consult these resources:  Read Me documents—important updates and special information. Look for them on the server discs.  Mac OS X Server website (www.apple.com/server/macosx)—gateway to extensive product and technology information.  Mac OS X Server Support website (www.apple.com/support/macosxserver)—access to hundreds of articles from Apple’s support organization.  Apple Discussions website (discussions.apple.com)—a way to share questions, knowledge, and advice with other administrators.  Apple Mailing Lists website (www.lists.apple.com)—subscribe to mailing lists so you can communicate with other administrators using email. 8 Preface About This Guide 1 Understanding iCal Service 1 iCal service is the shared calendar service for Mac OS X Server. Built on open standard protocols, iCal service provides integration with leading calendaring programs. Now it’s easy to share calendars, schedule meetings, and coordinate events within a workgroup, a small business, or a large corporation. Built on open standard protocols, iCal service integrates with leading calendaring programs. iCal service doesn’t impose a per-user license, so your organization can grow without paying for additional licenses. iCal Service Features iCal service is Mac OS X Server’s complete calendaring solution for your organization’s needs. It has all the features you need for a full calendaring solution, including:  Multiple calendars: Each person or resource can have multiple calendars. Users can organize their calendars however they choose.  Event invitations: Users can invite others to an event. When the recipient acknowledges the invitation, the scheduler gets the RSVP.  Free/Busy browsing: When scheduling an event, a user can check to see if the invitees are available to accept an invitation.  Rooms and resource scheduling: Resources (projectors, cars, and so forth) and rooms can have their own calendars and can be invited to events.  Directory support: iCal service works with Open Directory. Using Open Directory’s Active Directory plug-in, you can provide calendar service for users in Active Directory.  Delegation (proxy) support: Other users can be authorized to view your calendar events. This allows people to track subordinates, resources, or other designated calendar users. Proxies are used to allow event scheduling delegation as well.  Fine-grained access controls: iCal service fully supports access control lists (ACLs) for events and attachments. 9  Attachments: Events can have file attachments associated with them, so every event participant can have a copy of a file or meeting agenda. Open Standards iCal service is based on open standards. Each part of iCal service is a published standard. It’s built upon a strong foundation of proven standards and familiar technologies, including:  HTTP (RFC 2616): HTTP serves as the method of communication between the calendar clients and the server.  WebDAV (RFC 2518): WebDAV serves as iCal service’s method for reading and writing calendar files on the server.  CalDAV (RFC 4791): CalDAV is an extension of WebDAV to provide features specific to calendaring (like searches for free/busy information and use of the invitation protocol iTIP).  iCalendar (RFC 2445): iCalendar is the standard text format for describing events.  iTIP (RFC 2446): iTIP is the standard for making and responding to event invitations. Apple is a member of the CalConnect Consortium and is committed to open standardsbased calendaring and scheduling protocols. To further the widespread adoption and deployment of these standards, complete source code will be released to the open source community as part of the Darwin Calendar Server project, hosted on the macosforge.org website, calendarserver.org. Directory and Client Integration iCal service is integrated with Mac OS X Server’s foundation technologies. Calendar users are authenticated from Open Directory and Kerberos. iCal service is available to Apple Wiki groups, with each having its own shared calender. The calendar files are stored in flat files so they can integrate with any storage system, local or networked. In addition to Mac OS X Server technologies, iCal service can integrate with other directory systems like Active Directory or plain LDAP systems. iCal service uses open calendaring protocols for integrating with leading calendar programs, including iCal 3 in Leopard, Mozilla’s Sunbird, OSAF’s Chandler, and Microsoft Outlook (using an open source connector). 10 Chapter 1 Understanding iCal Service Service Scalability Because the technology is based on web standards, iCal service has all the scalability of Mac OS X Server’s world-class web services. As your organization grows, iCal service can take advantage of standard scalability technologies such as network load distributors, storage networks, and distributed directory servers. To maximize service scalability and minimize loss of productivity from service outages, iCal service is optimized for use with Xsan—Apple’s clustered file system. With Xsan, multiple calendar servers can read and write to the same volume, making it easy to increase performance and improve service reliability by scaling for additional servers. Client Applications That Integrate with iCal Service The following Apple applications can use Mac OS X Server’s iCal service. For a client to use iCal service, the client must support the CalDAV protocol.  iCal 3.0: The version of iCal that ships with Mac OS X v10.5 Leopard has built-in support for CalDAV and therefore iCal service.  Apple Wiki’s web calendar: The wiki service has an online calendar for each wiki group that uses iCal service. Third-Party Applications In addition, the following third-party applications can use iCal serive. These applications are from companies or projects that have committed to using CalDAV as an open calendaring service.This list does not indicate an endorsement or support for any of the products listed.  Mozilla Sunbird (open source)  Open Software Application Foundation Chandler (open source)  Microsoft Outlook using the open-source Outlook Connector Project  Mulberry (open Source)  GNOME Evolution using the CalDAV plugin (open source)  Marware Project X Chapter 1 Understanding iCal Service 11 iCal Service In Action The following illustration shows the iCal service in a common workgroup environment. The iCal service is running on an Xserve connected to a shared storage system, Xsan. The Open Directory server authenticates the calendar users. The calendar users view, make, and save calendars and calendar entries using iCal 3.0 (for Mac OS X v10.5), or some other CalDAV compliant application. A Web server on the same network is running an Apple wiki server for a group with a shared group calendar. It is also a client computer, accessing iCal service for the group calendar. iCal Server back end iCal Server clients iCal Server with Xsan Storage Leopard with iCal 3.0 OSAF’s Chandler Mozilla’s Sunbird Authentication servers 12 Chapter 1 Understanding iCal Service Web Server running Apple’s Wiki Server 2 Setting Up and Managing iCal Service 2 iCal service is configured using Server Admin, authenticated using Open Directory, and accessed using any CalDAV compatible client. This chapter provides the planning steps and tasks necessary to set up iCal service. It also provides information about how to manage and monitor iCal service. Minimum Requirements To run iCal service, you need:  A host name for the server with full reverse DNS lookup  A firewall rule that allows TCP connections from iCal service clients to the iCal service on a chosen port  User names and passwords stored in an Open Directory system, an Active Directory system (using the Active Directory plugin for Open Directory), or an OpenLDAP directory with appropriate schema to support iCal service  (Optional) If you are using Kerberos for authentication, a Kerberos system running A functioning DNS system, with full reverse lookups, a firewall to allow configuration, and an Open Directory server for authentication constitute a bare minimum for the setup environment. Setting Up iCal Service iCal service depends on other Mac OS X Server features. The following steps give the basic setup instructions and considerations for the first time you deploy iCal service. Step 1: Plan your deployment Make sure your target server meets the minimum Mac OS X Server system requirements. Make sure the number of servers is adequate for the estimated traffic. Make sure the storage space for calendars and attachments is sufficient for the estimated amount of data. Additional information that can help you make these storage decisions can be found in Chapter 3, “Advanced iCal Service Information.” 13 Step 2: Gather your information You need the following information before you begin:  Host name of the server  TCP port to respond to iCal service connections  Authentication method (Digest, Kerberos v5, or Any)  Location of the data store  Estimated maximum attachment size  Estimated storage quota per user  Certificate information for SSL connections (optional) This not only helps to make sure the installation goes smoothly, but it can help you make planning decisions. Step 3: Set up the environment If you are not in complete control of the network environment (DNS servers, DHCP server, firewall, and so forth), coordinate with your network administrator before installing. If you are planning on connecting the server to an existing directory system, you must also coordinate efforts with the directory administrator. If you are planning to create group calendars, you also need to enable Web service for Apple Wiki service. Step 4: Configure and start iCal service Configure the service parameters and turn on the iCal service. As users log in to the service with their CalDAV-enabled calendar applications, the service creates the needed directories and files. For more information about enabling, configuring, and starting iCal service, see the following sections:  “Enabling iCal Service for Administration” on page 14  “Starting or Stopping iCal Service Administration” on page 15  “Changing iCal Service Administration Settings” on page 15 Enabling iCal Service for Administration You must turn on iCal service administration before you can use Server Admin to configure or enable it. This allows Server Admin to start, stop, and change settings for iCal service. To enable iCal service for administration: 1 Open Server Admin. 2 Select a server, click the Settings button in the toolbar, and then click the Services tab. 14 Chapter 2 Setting Up and Managing iCal Service 3 Select the checkbox for iCal service. Now the iCal service is ready to configure and control using Server Admin. Starting or Stopping iCal Service Administration You need to restart the iCal service after you make configuration changes. If you prefer to administer the service from the command line, you can use serveradmin. For specific instructions, see Command-Line Administration. To start or stop the service: 1 Open Server Admin. 2 Select a server, then click the service disclosure triangle to show the services for administration. These instructions assume iCal service has been enabled in the service administration list of Server Admin. 3 In the service list beneath the server, select iCal service. 4 Click Start iCal, the service start button below the server list. If the service is running, click Stop iCal. Changing iCal Service Administration Settings The following settings are available for customization using Server Admin: Setting Description Data store location This is where the server stores all the users’ calendars, delegate lists, and event attachments To change this setting, see “Changing the Calendar Data Store Location” on page 16. Maximum attachment size This is the maximum file size (in MB) for each event attachment. To change this setting, see “Changing the Calendar Attachment Limit” on page 17. User quota This is the total size of all the user’s calendars and event attachments. To change this setting, see “Changing Calendar User Quotas” on page 17. Authentication This is the authentication method required for calendar access. To change this setting, see “Configuring Security for iCal Service” on page 19. Chapter 2 Setting Up and Managing iCal Service 15 Setting Description Host name This is the fully qualified domain name in DNS. It should be in the reverse lookup domain as well. To change this setting, see “Setting the iCal Service Host Name” on page 16. HTTP port number This is the port that the iCal service will use for connections. The default port is 8008. To change this setting, see “Setting the iCal Service Port Number” on page 16. If you prefer to administer the service from the command line, you can use serveradmin. For more specific instructions, see Command-Line Administration. Setting the iCal Service Host Name When setting up iCal service, you must specify the host name of the iCal server. It should be a fully qualified domain name matched with a reverse lookup record. Be sure to make the appropriate changes to your firewall to allow network access to the server. To set the host name: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Settings button in the toolbar. 3 In the Host Name field, enter the host name. 4 Click Save, then restart the service. Setting the iCal Service Port Number When setting up the iCal service, the server is set to use TCP port 8008. If you want to change the port, you can do so in Server Admin. Be sure to make the appropriate changes to your firewall to allow network access to the server. To set the port number: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Settings button in the toolbar. 3 In the HTTP Port Number field, enter the port number. 4 Click Save, then restart the service. Changing the Calendar Data Store Location The data store is where the server stores all the users’ calendars and event attachments. The default location is /Library/CalendarServer/Documents/. 16 Chapter 2 Setting Up and Managing iCal Service This location is relative to the local file system, so if the storage location is on a network volume, enter the local filesystem mount point and not a network URL. To change the default data store: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Settings button in the toolbar. 3 In the Data Store field, enter the new location. Alternately, click the Choose button and navigate to the new location. 4 Click Save, then restart the service. Changing the Calendar Attachment Limit Each event on a calendar can have one or more files attached to it. All invitees to the event can access the attachments. The maximum attachment size is the maximum total size of all attachments for an event. There is no limit to the total number of files attached to a single event except for the calendar user’s storage quota. To set the attachment size limit: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Settings button in the toolbar. 3 In the Maximum Attachment Size field, enter the file size (in MB). 4 Click Save, then restart the service. Changing Calendar User Quotas Each calendar user has a disk quota. This quota is the total possible size of all the user’s calendars and event attachments. Quotas are not set on a per-user basis. They are set globally for all users. Do not allow the total of all your users’ quotas to exceed the storage capacity of the data store. To change the user quota: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Settings button in the toolbar. 3 In the User Quota field, enter the quota amount (in MB). 4 Click Save, then restart the service. Enabling iCal Service for a User or Group There are two places where a user or group can be authorized to use iCal service. One is in a Service Access Control List (SACL), the other is in the user’s directory record. The SACL is the overall authorization for using the service, while the directory record enables use of the service. Chapter 2 Setting Up and Managing iCal Service 17 If the SACL for iCal service has been set for a user or group, the SACL takes precedence over the directory record setting. For a user or group to use iCal service, authorization must be enabled in the SACL and the directory record. These instructions assume iCal service has been configured and started. To enable iCal service for a user or group: 1 Open Server Admin and select the server from the Servers list. 2 Click Settings. 3 Click Access. 4 Make sure either “For all services” or “iCal service” is selected from the Service list. “For all services” makes changes to all services. Selecting “iCal service” only changes the SACL for iCal service. 5 To provide unrestricted access to iCal service, click “Allow all users and groups.” To restrict access to specific users and groups: a Select “Allow only users and groups below.” b Click the Add (+) button to open the Users & Groups drawer. c Drag users and groups from the Users & Groups drawer to the list. 6 Click Save. The SACL for iCal service is configured. Now enable the user’s calendar in the directory record. 7 Open Workgroup Manager. 8 Authenticate to the directory as the directory administrator. 9 At the top of the application window, click the Accounts button to select the directory you want to edit. 10 Select the users who will have iCal service access. Group calendars can only be enabled by using the group Wiki and Blog setting and then enabling the web calendar feature. 11 Click the Advanced tab of the user record. 12 Select Enable Calendaring and choose the calendaring server from the pop-up list. 13 Click Save. Defining Who Can View or Edit Group Calendars Group calendar privileges are administered through Apple Wiki service. You enable group calendars and define access privileges for the group calendar using Workgroup Manager’s view of the group record, or Directory’s (the utility) view of the group record. 18 Chapter 2 Setting Up and Managing iCal Service This is true whether the calendar is viewed in a CalDAV-compatible calendar client or in a web browser. Administration of fine-grained access control of group calendars must be performed in the directory record for the group. For more information on using group calendars, see Web Technologies Administration or the online help in the Apple Wiki group pages. Defining Who Can View or Edit User Calendars Every user can create and remove calendar events in his or her own calendars in iCal service. When users want to have someone else edit their calendars, they want to delegate (or assign a proxy to) the calendar management. iCal service supports calendar viewing and editing delegates, allowing designated persons to read or write a user’s calendars. Calendar delegation is not configured on the server side. To set up a delegate, you use the calendar client software. Apple’s Directory application lets you choose delegates for resource and location calendars. To learn how to configure calendar delegation, see the documentation for your calendar client. When you want a user to have a read-only calendar, you can publish the URL of the iCal service calendar and he or she can subscribe to a static (.ics) read-only version. To learn how to publish and subscribe to a calendar (.ics file), see the documentation for your calendar client. Configuring Security for iCal Service Security for iCal service consists of two main areas:  Securing the authentication: This means using a method of authenticating users that is secure and doesn’t pass the login credentials in clear text over the network. The high-security authentication used pervasively in Mac OS X Server is Kerberos v5. To learn how to configure secure authentication, see “Choosing and Enabling Secure Authentication for iCal Service” on page 19.  Securing the data transport: This means encrypting the network traffic between the calendar client and the calendar server. When the transport is encrypted, no one can analyze the network traffic and reconstruct the contents of the calendar. iCal service uses SSL to encrypt the data transport. To learn how to configure and enable SSL for iCal service, see “Configuring and Enabling Secure Network Traffic for iCal Service” on page 20. Choosing and Enabling Secure Authentication for iCal Service Users authenticate to iCal service through one of the following methods: Chapter 2 Setting Up and Managing iCal Service 19  Kerberos v.5: This method uses strong encryption and is used in Mac OS X for single sign-on to services offered by Mac OS X Server.  Digest: (RFC 2617) This method sends secure login names and encrypted passwords without the use of a trusted third-party (like the Kerberos realm), and is usable without maintaining a Kerberos infrastructure.  Any: This includes both Kerberos v.5 and Digest authentication. The client can choose the most appropriate method for what it can support. You can set the required authentication method using Server Admin. To enable the highest security, choose a method other than “Any.” To choose an authentication method: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Settings button in the toolbar. 3 Select the method from the Authentication pop-up menu. 4 Click Save, then restart the service. Configuring and Enabling Secure Network Traffic for iCal Service When you enable Secure Sockets Layer (SSL), you encrypt all the data sent between the iCal server and the client. To enable SSL, you must select a Certificate. If you use the Default self-signed certificate, the clients must choose to trust the certificate before they can make a secure connection. To enable secure network traffic using SSL transport: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Settings button in the toolbar. 3 Click Enable Secure Sockets Layer (SSL). 4 Choose a TCP port for SSL to communicate on. The default port is 8443. 5 Choose the certificate to be used for encryption. 6 Click Save, then restart the service. Monitoring iCal service To keep iCal service operating smoothly, you must monitor service logs as well as current statistics. The following sections contain more information about monitoring iCal service:  “Viewing iCal Service Vital Statistics” on page 21  “Viewing iCal Service Logs” on page 21 20 Chapter 2 Setting Up and Managing iCal Service Viewing iCal Service Vital Statistics The iCal service Overview pane lets you keep track of the following vital statistics. These statistics can help you plan disk and CPU resource usage:  Total disk usage  Number of accounts  Total number of user calendars  Number of group calendars  Number of location calendars  Number of resource calendars  Total number of events  Total number of todo lists To view iCal service statistics: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Overview button in the toolbar. Viewing iCal Service Logs iCal service keeps two logs: one for access and one for errors. You can view and filter the logs to troubleshoot the service or monitor overall service reliability. To view the logs: 1 In Server Admin, select a server and choose the iCal service. 2 Click the Logs button in the toolbar. 3 Select a log from the View pop-up menu. 4 Filter the log for specific text strings by using the text filter field. Maintaining iCal Service The following sections contain information that will assist an iCal service administrator in keeping the iCal service working smoothly. Understanding iCal Service Administration Configuration Files You should perform all administration of iCal service using Server Admin or the serveradmin tool. If Server Admin or serveradmin are unavailable, iCal service can be configured and run from the command-line using built-in tools. The following are files used to run iCal service:  /etc/caldavd/caldavd.plist: The main configuration file for caldavd. It is an XML property list of server options and provides such information as the port to bind to and whether to use SSL. The names of other files can specified.  /var/log/caldavd/access.log: The server's main log file. Chapter 2 Setting Up and Managing iCal Service 21  /var/run/caldavd.pid: The server's process ID file.  /usr/share/caldavd: Implementation and support files. Understanding Calendar Files Each calendar event is stored as an .ics file in the main data store. These .ics files can suffer from accidental data corruption (due to disk errors or software bugs) that can disrupt service. iCal service also maintains sqlite database files at each level of the file hierarchy to speed data retrieval. To troubleshoot or resolve problems, an administrator can inspect these files. Each event and calendar .ics file can be inspected or tested for file integrity and removed if corrupt. Additionally, the sqlite databases are disposable (with one exception), and are recreated as needed. You can use the built-in sqlite command-line tools to query or test the database files, or just delete them. They’ll be rebuilt when needed. WARNING: The delegate sqlite database file at the top of the /principals/ hierarchy is not disposable. It contains all delegate (proxy) relationships. Do not be delete this file. To access the files, you need root access to the /Library/CalendarServer/Documents/ folder and its subfolders. For more information about the calendar file heirarchy, see Chapter 3, “Advanced iCal Service Information.” Backing Up and Restoring Calendar Files In addition to backing up the configuration files listed in “Understanding iCal Service Administration Configuration Files” on page 21, you should back up the data store. The location of the data store is shown in the Settings tab of the iCal service administration pane of Server Admin. Because iCal service files are flat files, you can use any backup procedure you want to save the files. You should maintain the original files’ POSIX permissions and ACL entries. Your backup solution must preserve extended attributes. You don’t need to back up the calendar database files in the file hierarchy. They are disposable. However, there is a delegate database file at the top of the /principals/ hierarchy and that must be backed up. It contains all proxy/delegate relationships. Your backup software needs root access to the /Library/CalendarServer/Documents/ folder and its subfolders to back them up. Mac OS X Server provides several command-line tools for data backup and restoration:  rsync. Use to keep a backup copy of your data in sync with the original. The rsync tool only copies files that have changed, but copies all extended attributes always. 22 Chapter 2 Setting Up and Managing iCal Service   ditto. Use to perform full file-level backups. asr. Use to back up and restore an entire volume at disk block-level. For more information about these commands, see Command-Line Administration. The Mac OS X v10.5 Time Machine feature is not recommended for server file and system backup of advanced configuration servers. Note: You can use the launchdctl command to automate data backup using the mentioned commands. For more information about using launchd, see Command-Line Administration. Deleting Unused Calendars For security, privacy, or disk usage reasons, you may need to delete unused calendars. After calendar files and folders are created in the data store, they are not removed when a user, group, or resource is removed from the directory. This could potentially cause unintended service behavior if a user, group, or resource is created at a future time with the same name as the defunct one. When a user, group, or resource is no longer actively using the calendar, you can easily delete the files, which include calendars, events, todo lists, and attachments. To do so, delete the user folder from the data store manually. If you delete the files for security or privacy reasons, use a secure-delete tool like the Mac OS X command-line tool srm. For command usage, see the srm man page. To delete the files, you need root access to the /Library/CalendarServer/Documents/ folder and its subfolders. Chapter 2 Setting Up and Managing iCal Service 23 24 Chapter 2 Setting Up and Managing iCal Service 3 Advanced iCal Service Information 3 This chapter contains detailed information about iCal service that is suitable for advanced system administrators. iCal service provides calendar sharing, collaboration, and synchronization through the CalDAV protocol. CalDAV is a standard for accessing calendars using WebDAV. It is used to store, query, and retrieve collections of iCalendar (.ics) standard events and todo (tasks) from a CalDAV enabled server to any suitable client. It is an open standard that allows different software products from many development sources to interoperate. CalDAV architecture treats all events (individual events in a calendar, todo lists, and out of office blocks) as HTTP resources. The events are transferred using standard HTTP with additional functionality to handle the special needs of calendar event management. For example, a CalDAV server must use WebDAV access control (RFC3744), must be able to parse iCalendar files (RFC2445), and must be able to conduct calendaring-specific operations such as doing free-busy time lookup and expanding repeating events. Each event is an iCalendar (.ics) formatted file. These events are grouped in collections (user-perceived calendars) and indexed for searching and quick retrieval. Understanding Service Implementation Details The following sections describe iCal service implementation details including tools, user provisioning, and process management. Configuration Tools iCal service uses two front-end tools:  Server Admin for Mac OS X  A combination of caldavd and caladmin for the command-line interface of Darwin server. 25 In both cases, the front ends read from a configuration plist file (/etc/caldavd/ caldavd.plist) to set service parameters. The plist file is an XML property list that specifies server options such as:  The network TCP port to bind to  Whether to use SSL  The names and locations of support files User Provisioning iCal service users are provisioned in Open Directory. If you don’t have an Open Directory infrastructure, there are several ways to provide iCal service to users authenticated through other directory systems. If you are using Active Directory (AD), you can use the AD plugin to Open Directory and make an Open Directory server that forwards authentication requests to the AD domain. This method adds the needed directory schema keys and values to what’s returned from the AD domain to allow use of iCal service without needing to change the AD directory schema. The easiest way to enable this is to install Mac OS X Server in workgroup configuration mode, attached to the AD directory. All necessary configuration parameters on Mac OS X Server are done for you. To find out more about workgroup configuration, see Getting Started and Server Administration. If you install on an advanced configuration server, you must configure your server manually. To find out more about configuring and advanced configuration server to work with Active Directory, see Open Directory Administration. Process and Load Management The daemon for iCal service has several functional modes. It can be run in master, slave, or combined mode.  The master process: Acts as a load balancer for slave mode daemons. When iCal service is running in this mode, it forwards calendar connection requests to another instance of the daemon running in slave mode.  The slave process: Accepts forwarded connections delegated by the master process. This process replies to client requests and accesses the calendar data store, answers HTTP requests, and does event parsing.  The combined process (default): Acts as both master and slave. It spawns one slave process for every processor core available on the system. It also acts as its own loadbalancing master, delegating connections to its own spawned slave mode daemons. 26 Chapter 3 Advanced iCal Service Information For these processes to be balanced, they must have a shared storage location. This can be as simple as a single file system location for a multiprocessor Xserve. If the processes are spread between several servers, the servers must use a shared storage solution like Xsan. If the master processes can’t adequately distribute the load, you can use a hardware load balancer built to handle web connections. Implementation Details iCal service is implemented using Python v2.4 or later, using the Twisted network framework. This open source framework gives excellent network performance using an asynchronous networking model without needing to use threads. The Twisted framework does not support WebDAV level 2 locking or WebDAV versioning (neither of which is required for CalDAV). The following are software dependencies in implementing the service: Third-party tools Apple-provided tools Twisted PyKerberos pyXML PyOpenDirectory pyOpenSSL pysqlite vobject xattr dateutil ZOPEInterface Understanding the Data Store File Hierarchy The main data store location is specified in the Settings tab of the iCal service administration pane in Server Admin. By default it is /Library/CalendarServer/ Documents/. This is the organization of the data store: Location Description ./principles/Contains folders for each user or group that has been granted calendar access and that has logged in to the service at least once. ./principles/ Contains folders for each resource or location that has been granted calendar access and that has had its calendar accessed at least once. Chapter 3 Advanced iCal Service Information 27 Location Description ./principles/sudoers Contains folders for each calendar service administrator. ./principals/__uids__ Contains folders for every user, group, resource, or location, using its directory-record unique identifier as the name. ./principles/ / This is an HTTP resource that represents the calendar user or group settings in the directory service. ./principles/ / / calendar-proxy-read ./principles/ / / calendar-proxy-write Identifies the principals used to provide calendar delegate rights to other users. ./calendars/ Contains folders for each user or group that has created at least one event, todo, or calendar. ./calendars/ Contains folders for each resource or location that has accepted at least one event, todo, or calendar. ./calendars/ / /calendar Contains iCalendar (.ics) files of each event in the principle’s calendar. ./calendars/ / /inbox Contains iTIP file invitations to other user’s pending events. ./calendars/ / /outbox Contains iTip file invitations waiting to be distributed to invitees. ./calendars/ / /dropbox Contains files attached to events, either from a user’s self-created event or from participant events. Getting the Source Code iCal service is available as open source software under the Apache 2.0 license. The code and comments can be inspected. Administrators who want to contribute features or bug fixes can do so at the project site calendarserver.org. 28 Chapter 3 Advanced iCal Service Information Where to Go for Additional Information Related Web Sites  Open Source project site: calendarserver.org  Industry calendaring and scheduling consortium: calconnect.org Standards Documents iCalendar Standards  RFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar)  RFC 2446: iCalendar Transport-Independent Interoperability Protocol (iTIP)  RFC 2447: iCalendar Message-Based Interoperability Protocol (iMIP)  RFC 3283: Guide to Internet Calendaring Revised Standards (in progress)  DRAFT RFC 2445bis: Internet Calendaring and Scheduling Core Object Specification (iCalendar)  DRAFT RFC 2446bis: iCalendar Transport-Independent Interoperability Protocol (iTIP)  DRAFT RFC 2447bis: iCalendar Message-Based Interoperability Protocol (iMIP) HTTP Standards  RFC 2616: Hypertext Transfer Protocol—HTTP/1.1  RFC 2617: HTTP Authentication: Basic and Digest Access Authentication  RFC 4559: SPNEGO-based Kerberos and NTLM HTTP Authentication WebDAV Standards  RFC 2518: HTTP Extensions for Distributed Authoring—WEBDAV  DRAFT RFC 2518bis: HTTP Extensions for Distributed Authoring—WEBDAV  RFC 3253: Versioning Extensions to WebDAV  RFC 3744: WebDAV Access Control Protocol  RFC 4331: Quota and Size Properties for Distributed Authoring and Versioning (DAV) Collections CalDAV Standards  RFC 4791: Calendaring Extensions to WebDAV (CalDAV)  DRAFT: Scheduling Extensions to CalDAV Chapter 3 Advanced iCal Service Information 29 30 Chapter 3 Advanced iCal Service Information Glossary Glossary access control A method of controlling which computers or users can access a network or network services. access control list See ACL. ACL Access Control List. A list, maintained by a system, that defines the rights of users and groups to access resources on the system. Active Directory The directory and authentication service of Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2. administrator A user with server or directory domain administration privileges. Administrators are always members of the predefined “admin” group. authentication The process of proving a user’s identity, typically by validating a user name and password. Usually authentication occurs before an authorization process determines the user’s level of access to a resource. For example, file service authorizes full access to folders and files that an authenticated user owns. authorization The process by which a service determines whether it should grant a user access to a resource and how much access the service should allow the user to have. Usually authorization occurs after an authentication process proves the user’s identity. For example, file service authorizes full access to folders and files that an authenticated user owns. back up (verb) The act of creating a backup. backup (noun) A collection of data that’s stored for the purpose of recovery in case the original copy of data is lost or becomes inaccessible. balance An Xsan storage pool allocation strategy. Before allocating space on a volume consisting of more than one storage pool, Xsan checks available storage on all pools, and then uses the one with the most free space. blog A webpage that presents chronologically ordered entries. Often used as an electronic journal or newsletter. 31 CalDAV CalDAV is a standard protocol to enable calendar access via WebDAV. CalDAV models events (meetings, appointments, blocked-off-time, or todo tasks) as HTTP resources in iCalendar format. certificate Sometimes called an “identity certificate” or “public key certificate.” A file in a specific format (Mac OS X Server uses the X.509 format) that contains the public key half of a public-private keypair, the user’s identity information such as name and contact information, and the digital signature of either a Certificate Authority (CA) or the key user. Certificate Authority An authority that issues and manages digital certificates in order to ensure secure transmission of data on a public network. See also certificate. certification authority See Certificate Authority. cleartext Data that hasn’t been encrypted. command line The text you type at a shell prompt when using a command-line interface. command-line interface A way of interacting with the computer (for example, to run programs or modify file system permissions) by entering text commands at a shell prompt.. daemon A program that runs in the background and provides important system services, such as processing incoming email or handling requests from the network. DHCP Dynamic Host Configuration Protocol. A protocol used to dynamically distribute IP addresses to client computers. Each time a client computer starts up, the protocol looks for a DHCP server and then requests an IP address from the DHCP server it finds. The DHCP server checks for an available IP address and sends it to the client computer along with a lease period—the length of time the client computer may use the address. digest A computationally efficient function mapping binary strings of arbitrary length to binary strings of some fixed length. directory domain A specialized database that stores authoritative information about users and network resources; the information is needed by system software and applications. The database is optimized to handle many requests for information and to find and retrieve information quickly. Also called a directory node or simply a directory. directory services Services that provide system software and applications with uniform access to directory domains and other sources of information about users and resources. disk A rewritable data storage device. 32 Glossary DNS Domain Name System. A distributed database that maps IP addresses to domain names. A DNS server, also known as a name server, keeps a list of names and the IP addresses associated with each name. DNS domain A unique name of a computer used in the Domain Name System to translate IP addresses and names. Also called a domain name. domain Part of the domain name of a computer on the Internet. It does not include the top-level domain designator (for example, .com, .net, .us, .uk). Domain name “www.example.com” consists of the subdomain or host name “www,” the domain “example,” and the top-level domain “com.” domain name See DNS name. Domain Name System See DNS. file system A scheme for storing data on storage devices that allows applications to read and write files without having to deal with lower-level details. firewall Software that protects the network applications running on your server. IP firewall service, which is part of Mac OS X Server software, scans incoming IP packets and rejects or accepts these packets based on a set of filters you create. host name A unique name for a computer, historically referred to as the UNIX hostname. HTTP Hypertext Transfer Protocol. The client/server protocol for the World Wide Web. HTTP provides a way for a web browser to access a web server and request hypermedia documents created using HTML. Hypertext Transfer Protocol See HTTP. iCalendar (RFC 2445) iCalendar is a standard for calendar and todo (task) data exchange. Sometimes this standard is called “iCal” which is also the name of Apple’s calendar product which implements the iCalendar standard. iTIP iCalendar Transport-Independent Interoperability Protocol. A protocol standard which defines a method for exchanging iCalendar information for group calendaring and scheduling between calendar users. KDC Kerberos Key Distribution Center. A trusted server that issues Kerberos tickets. Kerberos A secure network authentication system. Kerberos uses tickets, which are issued for a specific user, service, and period of time. After a user is authenticated, it’s possible to access additional services without retyping a password (called single signon) for services that have been configured to take Kerberos tickets. Mac OS X Server uses Kerberos v5. Glossary 33 Kerberos Key Distribution Center See KDC. Kerberos realm The authentication domain comprising the users and services that are registered with the same Kerberos server. The registered users and services trust the Kerberos server to verify each other’s identities. LDAP Lightweight Directory Access Protocol. A standard client-server protocol for accessing a directory domain. Lightweight Directory Access Protocol See LDAP. Mac OS X The latest version of the Apple operating system. Mac OS X combines the reliability of UNIX with the ease of use of Macintosh. Mac OS X Server An industrial-strength server platform that supports Mac, Windows, UNIX, and Linux clients out of the box and provides a suite of scalable workgroup and network services plus advanced remote management tools. mount (verb) To make a remote directory or volume available for access on a local system. In Xsan, to cause an Xsan volume to appear on a client’s desktop, just like a local disk. mount point In streaming, a string used to identify a live stream, which can be a relayed movie stream, a nonrelayed movie stream, or an MP3 stream. Mount points that describe live movie streams always end with a .sdp extension. Open Directory The Apple directory services architecture, which can access authoritative information about users and network resources from directory domains that use LDAP, Active Directory protocols, or BSD configuration files, and network services. Open Directory master A server that provides LDAP directory service, Kerberos authentication service, and Open Directory Password Server. PID Process ID. A number assigned to a UNIX process when it starts. The PID allows you to refer to the process at a later time. plaintext Text that hasn’t been encrypted. port A server uses port numbers to determine which application should receive data packets. Firewalls use port numbers to determine whether data packets are allowed to traverse a local network. “Port” usually refers to either a TCP or UDP port. privileges The right to access restricted areas of a system or perform certain tasks (such as management tasks) in the system. process A program that has started executing and has a portion of memory allocated to it. 34 Glossary process ID See PID. realm General term with multiple applications. See WebDAV realm, Kerberos realm. root An account on a system that has no protections or restrictions. System administrators use this account to make changes to the system’s configuration. SACL Service Access Control List. Lets you specify which users and groups have access to specific services. See ACL. server A computer that provides services (such as file service, mail service, or web service) to other computers or network devices. standalone server A server that provides services on a network but doesn’t get directory services from another server or provide directory services to other computers. TCP Transmission Control Protocol. A method used with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. IP handles the actual delivery of the data, and TCP keeps track of the units of data (called packets) into which a message is divided for efficient routing through the Internet. Transmission Control Protocol See TCP. Uniform Resource Locator See URL. URL Uniform Resource Locator. The address of a computer, file, or resource that can be accessed on a local network or the Internet. The URL is made up of the name of the protocol needed to access the resource, a domain name that identifies a specific computer on the Internet, and a hierarchical description of a file location on the computer. WebDAV Web-based Distributed Authoring and Versioning. A live authoring environment that allows client users to check out webpages, make changes, and then check the pages back in to the site while the site is running. WebDAV realm A region of a website, usually a folder or directory, that’s defined to provide access for WebDAV users and groups. weblog See blog. Weblog service The Mac OS X Server service that lets users and groups securely create and use blogs. Weblog service uses Open Directory authentication to verify the identity of blog authors and readers. If accessed using a website that’s SSL enabled, Weblog service uses SSL encryption to further safeguard access to blogs. Glossary 35 36 Glossary A access ACLs 22 delegating 19, 22, 26 permissions 18, 22 SACLs 17 user 17, 18 ACLs (access control lists) 22 Active Directory 26 asr tool 23 attachments 17 authentication 10, 15, 19 authorization 17 B backups, calendar file 22 C CalConnect Consortium 10 CalDAV (Calendar-Based Distributed Authoring and Versioning) protocol 10, 11, 25, 29 calendar service. See iCal service certificates 20 clients delegating access 19 integration with iCal 11 See also users command-line tools 22 configuration advanced tools 25 overview 13 sample 12 configuration files 21 D Darwin Calendar Server project 10 data store 16, 22, 27 data transport encryption 20 delegating access 19, 22, 26 digest authentication 20 directory record settings, user 17 directory services 10, 26 Index Index disk quotas 17 ditto tool 23 DNS (Domain Name System) service 16 documentation 6, 7, 8, 29 Domain Name System. See DNS domains, directory 10, 26 E encryption 19, 20 error messages. See troubleshooting events attachments 17 and CalDAV architecture 25 file organization 22 iCalendar standard 10 F files calendar 22 configuration 21 hierarchy 27 plist 26 file systems data store 16, 22, 27 overview 11 and processes 26 and scalability 11 folders, data store hierarchy 27 G groups 18 H help, using 5 host name, DNS 16 HTTP (Hypertext Transfer Protocol) 10, 16, 25, 29 I iCalendar standard 10, 29 iCal service access control 17, 18, 19, 22, 26 deleting calendars 23 37 enabling 14 load management 26 maintaining 21 monitoring 20, 21 overview 5, 9, 10, 11 scalability 11 setup 12, 13, 25 shared settings 15 standards 29 starting 15 stopping 15 See also configuration installation, planning for 13 iTIP standard 10 K Kerberos 10, 20 L launchdctl tool 23 Leopard server. See Mac OS X Server load balancing 26 logs 21 M Mac OS X Server, integration with iCal 10 O Open Directory 10, 26 open source modules 10, 20, 27 Overview pane 21 P permissions, user 18, 22 plist files 26 ports 16 privileges, user 18, 22 problems. See troubleshooting protocols CalDAV 10, 11, 25, 29 HTTP 10, 16, 25, 29 and standards 10 Python 27 Q quotas, disk 17 38 Index R read-only calendar access 19 root permissions 23 rsync tool 22 S SACLs (service access control lists) 17 SANs (storage area networks) 11 Secure Sockets Layer. See SSL security authentication 10, 15, 19 permissions 18, 22 tools 19, 20 See also access Server Admin 15, 21 serveradmin tool 16 servers, host name setting 16 service access control lists. See SACLs setup procedures. See configuration; installation sqlite databases 22 SSL (Secure Sockets Layer) 20 storage area networks. See SANs T Time Machine 23 troubleshooting 22 Twisted network framework 27 U users access control 17, 18, 19 attachment quotas 17 permissions 18, 22 provisioning of 26 See also clients V volumes. See file systems W WebDAV (Web-Based Distributed Authoring and Versioning) 10, 25, 27, 29 wikis 10 X Xsan 11
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Mode : UseOutlines XMP Toolkit : 3.1-701 Producer : Acrobat Distiller 7.0.5 for Macintosh Modify Date : 2007:10:03 12:48:06-07:00 Creator Tool : FrameMaker 6.0 Create Date : 2007:10:03 12:30:11Z Metadata Date : 2007:10:03 12:48:06-07:00 Format : application/pdf Creator : Apple Inc. Title : iCal Service Administration Description : Mac OS X Server v10.5 Leopard Document ID : uuid:197a9e93-71e9-11dc-ba39-0016cb3b1e2a Instance ID : uuid:8f9d0ed5-71e9-11dc-9f0a-0016cb3b1e2a Page Count : 38 Page Layout : SinglePage Subject : Mac OS X Server v10.5 Leopard Author : Apple Inc. Keywords : kmanual, kmosxserver105EXIF Metadata provided by EXIF.tools