Apple MacOSXServer ICal Service Administration User Manual Mac OSXServerv10.5 I Cal Admin 10.5

User Manual: Apple MacOSXServer MacOSXServerv10.5-iCalServiceAdministration

Open the PDF directly: View PDF .
Page Count: 38

iCal Service Administration

Mac OS X Server

iCal Service Administration

For Version 10.5 Leopard

Apple Inc.

Under the copyright laws, this manual may not be

copied, in whole or in part, without the written consent

of Apple.

The Apple logo is a trademark of Apple Inc., registered

in the U.S. and other countries. Use of the “keyboard”

Apple logo (Option-Shift-K) for commercial purposes

without the prior written consent of Apple may

constitute trademark infringement and unfair

competition in violation of federal and state laws.

Every effort has been made to ensure that the

information in this manual is accurate. Apple is not

responsible for printing or clerical errors.

Apple

1 Infinite Loop

Cupertino, CA 95014-2084

408-996-1010

www.apple.com

Apple, the Apple logo, iCal, Mac, Macintosh, the Mac

logo, Mac OS, QuickTime, Xgrid, Xsan, an d Xserve are

trademarks of Apple Inc., registered in the U.S. and other

countries.

Finder is a trademark of Apple Inc.

Other company and product names mentioned herein

are trademarks of their respective companies. Mention

of third-party products is for informational purposes

only and constitutes neither an endorsement nor a

recommendation. Apple assumes no responsibility with

regard to the performance or use of these products.

Simultaneously published in the United States and

Canada.

019-0940/2007-09-01

Contents

Preface 5 About This Guide

What’s in This Guide

Using Onscreen Help

Mac OS X Server Administration Guides

Viewing PDF Guides Onscreen

Printing PDF Guides

Getting Documentation Updates

Getting Additional Information

Chapter 1 9 Understanding iCal Service

iCal Service Features

Open Standards

Directory and Client Integration

Service Scalability

Client Applications That Integrate with iCal Service

Third-Party Applications

iCal Service In Action

Chapter 2 13 Setting Up and Managing iCal Service

Minimum Requirements

Setting Up iCal Service

Enabling iCal Service for Administration

Starting or Stopping iCal Service Administration

Changing iCal Service Administration Settings

Setting the iCal Service Host Name

Setting the iCal Service Port Number

Changing the Calendar Data Store Location

Changing the Calendar Attachment Limit

Changing Calendar User Quotas

Enabling iCal Service for a User or Group

Defining Who Can View or Edit Group Calendars

Defining Who Can View or Edit User Calendars

Configuring Security for iCal Service

Contents

Choosing and Enabling Secure Authentication for iCal Service

Configuring and Enabling Secure Network Traffic for iCal Service

Monitoring iCal service

Viewing iCal Service Vital Statistics

Viewing iCal Service Logs

Maintaining iCal Service

Understanding iCal Service Administration Configuration Files

Understanding Calendar Files

Backing Up and Restoring Calendar Files

Deleting Unused Calendars

Chapter 3 25 Advanced iCal Service Information

Understanding Service Implementation Details

Understanding the Data Store File Hierarchy

Getting the Source Code

Where to Go for Additional Information

Related Web Sites

Standards Documents

Glossary 31

Index 37

Preface

About This Guide

This guide shows you how to set up and maintain networked

calendars for your organization using iCal service, the

calendar service for Mac OS X Server.

You will find information about setting up, managing, maintaining, and monitoring iCal

service to use Apple’s iCal application or other CalDAV compliant calendar application,

to access and share calendar events.

What’s in This Guide

This guide includes the following chapters:

Chapter 1, “Understanding iCal Service,” provides an overview of iCal service and how

it is used.

Chapter 2, “Setting Up and Managing iCal Service,” provides instructions for setting

up and managing iCal.

Chapter 3, “Advanced iCal Service Information,” provides detailed implementation

information about the service.

Note:

Because Apple frequently releases new versions and updates to its software,

images shown in this book may be different from what you see on your screen.

Using Onscreen Help

You can get task instructions onscreen in Help Viewer while you’re managing Leopard

Server. You can view help on a server or an administrator computer. (An administrator

computer is a Mac OS X computer with Leopard Server administration software

installed on it.)

To get help for an advanced configuration of Leopard Server:

Open Server Admin or Workgroup Manager and then:

Use the Help menu to search for a task you want to perform.

6 Preface

About This Guide

Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse

and search the help topics.

The onscreen help contains instructions taken from

Server Administration

and other

advanced administration guides described in “Mac OS X Server Administration Guides,”

next.

To see the most recent server help topics:

Make sure the server or administrator computer is connected to the Internet while

you’re getting help.

Help Viewer automatically retrieves and caches the most recent server help topics from

the Internet. When not connected to the Internet, Help Viewer displays cached help

topics.

Mac OS X Server Administration Guides

Getting Started

covers installation and setup for standard and workgroup configurations

of Mac OS X Server. For advanced configurations,

Server Administration

covers planning,

installation, setup, and general server administration. A suite of additional guides, listed

below, covers advanced planning, setup, and management of individual services. You

can get these guides in PDF format from the Mac OS X Server documentation website:

www.apple.com/server/documentation

This guide... tells you how to:

Getting Started

and

Mac OS X Server Worksheet

Install Mac OS X Server and set it up for the first time.

Command-Line Administration

Install, set up, and manage Mac OS X Server using UNIX command-

line tools and configuration files.

File Services Administration

Share selected server volumes or folders among server clients

using the AFP, NFS, FTP, and SMB protocols.

iCal Service Administration

Set up and manage iCal shared calendar service.

iChat Service Administration

Set up and manage iChat instant messaging service.

Mac OS X Security Configuration

Make Mac OS X computers (clients) more secure, as required by

enterprise and government customers.

Mac OS X Server Security

Configuration

Make Mac OS X Server and the computer it’s installed on more

secure, as required by enterprise and government customers.

Mail Service Administration

Set up and manage IMAP, POP, and SMTP mail services on the

server.

Network Services Administration

Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall,

NAT, and RADIUS services on the server.

Open Directory Administration

Set up and manage directory and authentication services, and

configure clients to access directory services.

Preface

About This Guide

Viewing PDF Guides Onscreen

While reading the PDF version of a guide onscreen:

Show bookmarks to see the guide’s outline, and click a bookmark to jump to the

corresponding section.

Search for a word or phrase to see a list of places where it appears in the document.

Click a listed place to see the page where it occurs.

Click a cross-reference to jump to the referenced section. Click a web link to visit the

website in your browser.

Printing PDF Guides

If you want to print a guide, you can take these steps to save paper and ink:

Save ink or toner by not printing the cover page.

Save color ink on a color printer by looking in the panes of the Print dialog for an

option to print in grays or black and white.

Podcast Producer Administration

Set up and manage Podcast Producer service to record, process,

and distribute podcasts.

Print Service Administration

Host shared printers and manage their associated queues and print

jobs.

QuickTime Streaming and

Broadcasting Administration

Capture and encode QuickTime content. Set up and manage

QuickTime streaming service to deliver media streams live or on

demand.

Server Administration

Perform advanced installation and setup of server software, and

manage options that apply to multiple services or to the server as a

whole.

System Imaging and Software

Update Administration

Use NetBoot, NetInstall, and Software Update to automate the

management of operating system and other software used by

client computers.

Upgrading and Migrating

Use data and service settings from an earlier version of

Mac OS X Server or Windows NT.

User Management

Create and manage user accounts, groups, and computers. Set up

managed preferences for Mac OS X clients.

Web Technologies Administration

Set up and manage web technologies, including web, blog,

webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV.

Xgrid Administration and High

Performance Computing

Set up and manage computational clusters of Xserve systems and

Mac computers.

Mac OS X Server Glossary

Learn about terms used for server and storage products.

This guide... tells you how to:

8 Preface

About This Guide

Reduce the bulk of the printed document and save paper by printing more than one

page per sheet of paper. In the Print dialog, change Scale to 115% (155% for

Getting

Started

). Then choose Layout from the untitled pop-up menu. If your printer supports

two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose

2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from

the Border menu. (If you’re using Mac OS X v10.4 or earlier, the Scale setting is in the

Page Setup dialog and the Layout settings are in the Print dialog.)

You may want to enlarge the printed pages even if you don’t print double sided,

because the PDF page size is smaller than standard printer paper. In the Print dialog or

Page Setup dialog, try changing Scale to 115% (155% for

Getting Started

, which has CD-

size pages).

Getting Documentation Updates

Periodically, Apple posts revised help pages and new editions of guides. Some revised

help pages update the latest editions of the guides.

To view new onscreen help topics for a server application, make sure your server or

administrator computer is connected to the Internet and click “Latest help topics” or

“Staying current” in the main help page for the application.

To download the latest guides in PDF format, go to the Mac OS X Server

documentation website:

www.apple.com/server/documentation

Getting Additional Information

For more information, consult these resources:

Read Me documents

—important updates and special information. Look for them on

the server discs.

Mac OS X Server website

(www.apple.com/server/macosx)—gateway to extensive

product and technology information.

Mac OS X Server Support website

(www.apple.com/support/macosxserver)—access to

hundreds of articles from Apple’s support organization.

ÂApple Discussions website (discussions.apple.com)—a way to share questions,

knowledge, and advice with other administrators.

ÂApple Mailing Lists website (www.lists.apple.com)—subscribe to mailing lists so you

can communicate with other administrators using email.

1Understanding iCal Service

iCal service is the shared calendar service for

Mac OS X Server. Built on open standard protocols, iCal

service provides integration with leading calendaring

programs.

Now it’s easy to share calendars, schedule meetings, and coordinate events within a

workgroup, a small business, or a large corporation. Built on open standard protocols,

iCal service integrates with leading calendaring programs. iCal service doesn’t impose a

per-user license, so your organization can grow without paying for additional licenses.

iCal Service Features

iCal service is Mac OS X Server’s complete calendaring solution for your organization’s

needs. It has all the features you need for a full calendaring solution, including:

ÂMultiple calendars: Each person or resource can have multiple calendars. Users can

organize their calendars however they choose.

ÂEvent invitations: Users can invite others to an event. When the recipient

acknowledges the invitation, the scheduler gets the RSVP.

ÂFree/Busy browsing: When scheduling an event, a user can check to see if the

invitees are available to accept an invitation.

ÂRooms and resource scheduling: Resources (projectors, cars, and so forth) and

rooms can have their own calendars and can be invited to events.

ÂDirectory support: iCal service works with Open Directory. Using Open Directory’s

Active Directory plug-in, you can provide calendar service for users in Active

Directory.

ÂDelegation (proxy) support: Other users can be authorized to view your calendar

events. This allows people to track subordinates, resources, or other designated

calendar users. Proxies are used to allow event scheduling delegation as well.

ÂFine-grained access controls: iCal service fully supports access control lists (ACLs)

for events and attachments.

10 Chapter 1 Understanding iCal Service

ÂAttachments: Events can have file attachments associated with them, so every event

participant can have a copy of a file or meeting agenda.

Open Standards

iCal service is based on open standards. Each part of iCal service is a published

standard. It’s built upon a strong foundation of proven standards and familiar

technologies, including:

ÂHTTP (RFC 2616): HTTP serves as the method of communication between the

calendar clients and the server.

ÂWebDAV (RFC 2518): WebDAV serves as iCal service’s method for reading and

writing calendar files on the server.

ÂCalDAV (RFC 4791): CalDAV is an extension of WebDAV to provide features specific

to calendaring (like searches for free/busy information and use of the invitation

protocol iTIP).

ÂiCalendar (RFC 2445): iCalendar is the standard text format for describing events.

ÂiTIP (RFC 2446): iTIP is the standard for making and responding to event invitations.

Apple is a member of the CalConnect Consortium and is committed to open standards-

based calendaring and scheduling protocols. To further the widespread adoption and

deployment of these standards, complete source code will be released to the open

source community as part of the Darwin Calendar Server project, hosted on the

macosforge.org website, calendarserver.org.

Directory and Client Integration

iCal service is integrated with Mac OS X Server’s foundation technologies. Calendar

users are authenticated from Open Directory and Kerberos. iCal service is available to

Apple Wiki groups, with each having its own shared calender. The calendar files are

stored in flat files so they can integrate with any storage system, local or networked.

In addition to Mac OS X Server technologies, iCal service can integrate with other

directory systems like Active Directory or plain LDAP systems.

iCal service uses open calendaring protocols for integrating with leading calendar

programs, including iCal 3 in Leopard, Mozilla’s Sunbird, OSAF’s Chandler, and Microsoft

Outlook (using an open source connector).

Chapter 1 Understanding iCal Service 11

Service Scalability

Because the technology is based on web standards, iCal service has all the scalability of

Mac OS X Server’s world-class web services.

As your organization grows, iCal service can take advantage of standard scalability

technologies such as network load distributors, storage networks, and distributed

directory servers.

To maximize service scalability and minimize loss of productivity from service outages,

iCal service is optimized for use with Xsan—Apple’s clustered file system. With Xsan,

multiple calendar servers can read and write to the same volume, making it easy to

increase performance and improve service reliability by scaling for additional servers.

Client Applications That Integrate with iCal Service

The following Apple applications can use Mac OS X Server’s iCal service. For a client to

use iCal service, the client must support the CalDAV protocol.

ÂiCal 3.0: The version of iCal that ships with Mac OS X v10.5 Leopard has built-in

support for CalDAV and therefore iCal service.

ÂApple Wiki’s web calendar: The wiki service has an online calendar for each wiki

group that uses iCal service.

Third-Party Applications

In addition, the following third-party applications can use iCal serive. These applications

are from companies or projects that have committed to using CalDAV as an open

calendaring service.This list does not indicate an endorsement or support for any of the

products listed.

ÂMozilla Sunbird (open source)

ÂOpen Software Application Foundation Chandler (open source)

ÂMicrosoft Outlook using the open-source Outlook Connector Project

ÂMulberry (open Source)

ÂGNOME Evolution using the CalDAV plugin (open source)

ÂMarware Project X

12 Chapter 1 Understanding iCal Service

iCal Service In Action

The following illustration shows the iCal service in a common workgroup environment.

The iCal service is running on an Xserve connected to a shared storage system, Xsan.

The Open Directory server authenticates the calendar users. The calendar users view,

make, and save calendars and calendar entries using iCal 3.0 (for Mac OS X v10.5), or

some other CalDAV compliant application. A Web server on the same network is

running an Apple wiki server for a group with a shared group calendar. It is also a client

computer, accessing iCal service for the group calendar.

Web Server running

Apple’s Wiki Server

iCal Server with Xsan Storage

iCal Server back end iCal Server clients

Authentication servers

Mozilla’s Sunbird

OSAF’s Chandler

Leopard with iCal 3.0

2Setting Up and Managing iCal

Service

iCal service is configured using Server Admin, authenticated

using Open Directory, and accessed using any CalDAV

compatible client.

This chapter provides the planning steps and tasks necessary to set up iCal service. It

also provides information about how to manage and monitor iCal service.

Minimum Requirements

To run iCal service, you need:

ÂA host name for the server with full reverse DNS lookup

ÂA firewall rule that allows TCP connections from iCal service clients to the iCal service

on a chosen port

ÂUser names and passwords stored in an Open Directory system, an Active Directory

system (using the Active Directory plugin for Open Directory), or an OpenLDAP

directory with appropriate schema to support iCal service

Â(Optional) If you are using Kerberos for authentication, a Kerberos system running

A functioning DNS system, with full reverse lookups, a firewall to allow configuration,

and an Open Directory server for authentication constitute a bare minimum for the

setup environment.

Setting Up iCal Service

iCal service depends on other Mac OS X Server features. The following steps give the

basic setup instructions and considerations for the first time you deploy iCal service.

Step 1: Plan your deployment

Make sure your target server meets the minimum Mac OS X Server system

requirements. Make sure the number of servers is adequate for the estimated traffic.

Make sure the storage space for calendars and attachments is sufficient for the

estimated amount of data. Additional information that can help you make these

storage decisions can be found in Chapter 3, “Advanced iCal Service Information.”

14 Chapter 2 Setting Up and Managing iCal Service

Step 2: Gather your information

You need the following information before you begin:

ÂHost name of the server

ÂTCP port to respond to iCal service connections

ÂAuthentication method (Digest, Kerberos v5, or Any)

ÂLocation of the data store

ÂEstimated maximum attachment size

ÂEstimated storage quota per user

ÂCertificate information for SSL connections (optional)

This not only helps to make sure the installation goes smoothly, but it can help you

make planning decisions.

Step 3: Set up the environment

If you are not in complete control of the network environment (DNS servers, DHCP

server, firewall, and so forth), coordinate with your network administrator before

installing.

If you are planning on connecting the server to an existing directory system, you must

also coordinate efforts with the directory administrator.

If you are planning to create group calendars, you also need to enable Web service for

Apple Wiki service.

Step 4: Configure and start iCal service

Configure the service parameters and turn on the iCal service. As users log in to the

service with their CalDAV-enabled calendar applications, the service creates the needed

directories and files.

For more information about enabling, configuring, and starting iCal service, see the

following sections:

Â“Enabling iCal Service for Administration” on page 14

Â“Starting or Stopping iCal Service Administration” on page 15

Â“Changing iCal Service Administration Settings” on page 15

Enabling iCal Service for Administration

You must turn on iCal service administration before you can use Server Admin to

configure or enable it. This allows Server Admin to start, stop, and change settings for

iCal service.

To enable iCal service for administration:

1Open Server Admin.

2Select a server, click the Settings button in the toolbar, and then click the Services tab.

Chapter 2 Setting Up and Managing iCal Service 15

3Select the checkbox for iCal service.

Now the iCal service is ready to configure and control using Server Admin.

Starting or Stopping iCal Service Administration

You need to restart the iCal service after you make configuration changes.

If you prefer to administer the service from the command line, you can use

serveradmin. For specific instructions, see Command-Line Administration.

To start or stop the service:

1Open Server Admin.

2Select a server, then click the service disclosure triangle to show the services for

administration.

These instructions assume iCal service has been enabled in the service administration

list of Server Admin.

3In the service list beneath the server, select iCal service.

4Click Start iCal, the service start button below the server list.

If the service is running, click Stop iCal.

Changing iCal Service Administration Settings

The following settings are available for customization using Server Admin:

Setting Description

Data store location This is where the server stores all the users’ calendars, delegate

lists, and event attachments

To change this setting, see “Changing the Calendar Data Store

Location” on page 16.

Maximum attachment size This is the maximum file size (in MB) for each event attachment.

To change this setting, see “Changing the Calendar Attachment

Limit” on page 17.

User quota This is the total size of all the user’s calendars and event

attachments.

To change this setting, see “Changing Calendar User Quotas” on

page 17.

Authentication This is the authentication method required for calendar access.

To change this setting, see “Configuring Security for iCal Service”

on page 19.

16 Chapter 2 Setting Up and Managing iCal Service

If you prefer to administer the service from the command line, you can use

serveradmin. For more specific instructions, see Command-Line Administration.

Setting the iCal Service Host Name

When setting up iCal service, you must specify the host name of the iCal server. It

should be a fully qualified domain name matched with a reverse lookup record.

Be sure to make the appropriate changes to your firewall to allow network access to

the server.

To set the host name:

1In Server Admin, select a server and choose the iCal service.

2Click the Settings button in the toolbar.

3In the Host Name field, enter the host name.

4Click Save, then restart the service.

Setting the iCal Service Port Number

When setting up the iCal service, the server is set to use TCP port 8008. If you want to

change the port, you can do so in Server Admin.

Be sure to make the appropriate changes to your firewall to allow network access to

the server.

To set the port number:

1In Server Admin, select a server and choose the iCal service.

2Click the Settings button in the toolbar.

3In the HTTP Port Number field, enter the port number.

4Click Save, then restart the service.

Changing the Calendar Data Store Location

The data store is where the server stores all the users’ calendars and event attachments.

The default location is /Library/CalendarServer/Documents/.

Host name This is the fully qualified domain name in DNS. It should be in the

reverse lookup domain as well.

To change this setting, see “Setting the iCal Service Host Name” on

page 16.

HTTP port number This is the port that the iCal service will use for connections. The

default port is 8008.

To change this setting, see “Setting the iCal Service Port Number”

on page 16.

Setting Description

Chapter 2 Setting Up and Managing iCal Service 17

This location is relative to the local file system, so if the storage location is on a network

volume, enter the local filesystem mount point and not a network URL.

To change the default data store:

1In Server Admin, select a server and choose the iCal service.

2Click the Settings button in the toolbar.

3In the Data Store field, enter the new location.

Alternately, click the Choose button and navigate to the new location.

4Click Save, then restart the service.

Changing the Calendar Attachment Limit

Each event on a calendar can have one or more files attached to it. All invitees to the

event can access the attachments. The maximum attachment size is the maximum total

size of all attachments for an event. There is no limit to the total number of files

attached to a single event except for the calendar user’s storage quota.

To set the attachment size limit:

1In Server Admin, select a server and choose the iCal service.

2Click the Settings button in the toolbar.

3In the Maximum Attachment Size field, enter the file size (in MB).

4Click Save, then restart the service.

Changing Calendar User Quotas

Each calendar user has a disk quota. This quota is the total possible size of all the user’s

calendars and event attachments.

Quotas are not set on a per-user basis. They are set globally for all users. Do not allow

the total of all your users’ quotas to exceed the storage capacity of the data store.

To change the user quota:

1In Server Admin, select a server and choose the iCal service.

2Click the Settings button in the toolbar.

3In the User Quota field, enter the quota amount (in MB).

4Click Save, then restart the service.

Enabling iCal Service for a User or Group

There are two places where a user or group can be authorized to use iCal service. One

is in a Service Access Control List (SACL), the other is in the user’s directory record.

The SACL is the overall authorization for using the service, while the directory record

enables use of the service.

18 Chapter 2 Setting Up and Managing iCal Service

If the SACL for iCal service has been set for a user or group, the SACL takes precedence

over the directory record setting. For a user or group to use iCal service, authorization

must be enabled in the SACL and the directory record.

These instructions assume iCal service has been configured and started.

To enable iCal service for a user or group:

1Open Server Admin and select the server from the Servers list.

2Click Settings.

3Click Access.

4Make sure either “For all services” or “iCal service” is selected from the Service list.

“For all services” makes changes to all services. Selecting “iCal service” only changes the

SACL for iCal service.

5To provide unrestricted access to iCal service, click “Allow all users and groups.”

To restrict access to specific users and groups:

aSelect “Allow only users and groups below.”

bClick the Add (+) button to open the Users & Groups drawer.

cDrag users and groups from the Users & Groups drawer to the list.

6Click Save.

The SACL for iCal service is configured. Now enable the user’s calendar in the directory

record.

7Open Workgroup Manager.

8Authenticate to the directory as the directory administrator.

9At the top of the application window, click the Accounts button to select the directory

you want to edit.

10 Select the users who will have iCal service access.

Group calendars can only be enabled by using the group Wiki and Blog setting and

then enabling the web calendar feature.

11 Click the Advanced tab of the user record.

12 Select Enable Calendaring and choose the calendaring server from the pop-up list.

13 Click Save.

Defining Who Can View or Edit Group Calendars

Group calendar privileges are administered through Apple Wiki service. You enable

group calendars and define access privileges for the group calendar using Workgroup

Manager’s view of the group record, or Directory’s (the utility) view of the group record.

Chapter 2 Setting Up and Managing iCal Service 19

This is true whether the calendar is viewed in a CalDAV-compatible calendar client or in

a web browser. Administration of fine-grained access control of group calendars must

be performed in the directory record for the group.

For more information on using group calendars, see Web Technologies Administration or

the online help in the Apple Wiki group pages.

Defining Who Can View or Edit User Calendars

Every user can create and remove calendar events in his or her own calendars in iCal

service. When users want to have someone else edit their calendars, they want to

delegate (or assign a proxy to) the calendar management.

iCal service supports calendar viewing and editing delegates, allowing designated

persons to read or write a user’s calendars. Calendar delegation is not configured on

the server side. To set up a delegate, you use the calendar client software. Apple’s

Directory application lets you choose delegates for resource and location calendars.

To learn how to configure calendar delegation, see the documentation for your

calendar client.

When you want a user to have a read-only calendar, you can publish the URL of the iCal

service calendar and he or she can subscribe to a static (.ics) read-only version.

To learn how to publish and subscribe to a calendar (.ics file), see the documentation

for your calendar client.

Configuring Security for iCal Service

Security for iCal service consists of two main areas:

ÂSecuring the authentication: This means using a method of authenticating users

that is secure and doesn’t pass the login credentials in clear text over the network.

The high-security authentication used pervasively in Mac OS X Server is Kerberos v5.

To learn how to configure secure authentication, see “Choosing and Enabling Secure

Authentication for iCal Service” on page 19.

ÂSecuring the data transport: This means encrypting the network traffic between

the calendar client and the calendar server. When the transport is encrypted, no one

can analyze the network traffic and reconstruct the contents of the calendar. iCal

service uses SSL to encrypt the data transport.

To learn how to configure and enable SSL for iCal service, see “Configuring and

Enabling Secure Network Traffic for iCal Service” on page 20.

Choosing and Enabling Secure Authentication for iCal Service

Users authenticate to iCal service through one of the following methods:

20 Chapter 2 Setting Up and Managing iCal Service

ÂKerberos v.5: This method uses strong encryption and is used in Mac OS X for single

sign-on to services offered by Mac OS X Server.

ÂDigest: (RFC 2617) This method sends secure login names and encrypted passwords

without the use of a trusted third-party (like the Kerberos realm), and is usable

without maintaining a Kerberos infrastructure.

ÂAny: This includes both Kerberos v.5 and Digest authentication. The client can

choose the most appropriate method for what it can support.

You can set the required authentication method using Server Admin. To enable the

highest security, choose a method other than “Any.”

To choose an authentication method:

1In Server Admin, select a server and choose the iCal service.

2Click the Settings button in the toolbar.

3Select the method from the Authentication pop-up menu.

4Click Save, then restart the service.

Configuring and Enabling Secure Network Traffic for iCal Service

When you enable Secure Sockets Layer (SSL), you encrypt all the data sent between the

iCal server and the client. To enable SSL, you must select a Certificate. If you use the

Default self-signed certificate, the clients must choose to trust the certificate before

they can make a secure connection.

To enable secure network traffic using SSL transport:

1In Server Admin, select a server and choose the iCal service.

2Click the Settings button in the toolbar.

3Click Enable Secure Sockets Layer (SSL).

4Choose a TCP port for SSL to communicate on.

The default port is 8443.

5Choose the certificate to be used for encryption.

6Click Save, then restart the service.

Monitoring iCal service

To keep iCal service operating smoothly, you must monitor service logs as well as

current statistics.

The following sections contain more information about monitoring iCal service:

Â“Viewing iCal Service Vital Statistics” on page 21

Â“Viewing iCal Service Logs” on page 21

Chapter 2 Setting Up and Managing iCal Service 21

Viewing iCal Service Vital Statistics

The iCal service Overview pane lets you keep track of the following vital statistics.

These statistics can help you plan disk and CPU resource usage:

ÂTotal disk usage

ÂNumber of accounts

ÂTotal number of user calendars

ÂNumber of group calendars

ÂNumber of location calendars

ÂNumber of resource calendars

ÂTotal number of events

ÂTotal number of todo lists

To view iCal service statistics:

1In Server Admin, select a server and choose the iCal service.

2Click the Overview button in the toolbar.

Viewing iCal Service Logs

iCal service keeps two logs: one for access and one for errors. You can view and filter

the logs to troubleshoot the service or monitor overall service reliability.

To view the logs:

1In Server Admin, select a server and choose the iCal service.

2Click the Logs button in the toolbar.

3Select a log from the View pop-up menu.

4Filter the log for specific text strings by using the text filter field.

Maintaining iCal Service

The following sections contain information that will assist an iCal service administrator

in keeping the iCal service working smoothly.

Understanding iCal Service Administration Configuration Files

You should perform all administration of iCal service using Server Admin or the

serveradmin tool. If Server Admin or serveradmin are unavailable, iCal service can be

configured and run from the command-line using built-in tools.

The following are files used to run iCal service:

Â/etc/caldavd/caldavd.plist: The main configuration file for caldavd. It is an XML

property list of server options and provides such information as the port to bind to

and whether to use SSL. The names of other files can specified.

Â/var/log/caldavd/access.log: The server's main log file.

22 Chapter 2 Setting Up and Managing iCal Service

Â/var/run/caldavd.pid: The server's process ID file.

Â/usr/share/caldavd: Implementation and support files.

Understanding Calendar Files

Each calendar event is stored as an .ics file in the main data store. These .ics files can

suffer from accidental data corruption (due to disk errors or software bugs) that can

disrupt service. iCal service also maintains sqlite database files at each level of the file

hierarchy to speed data retrieval. To troubleshoot or resolve problems, an administrator

can inspect these files.

Each event and calendar .ics file can be inspected or tested for file integrity and

removed if corrupt. Additionally, the sqlite databases are disposable (with one

exception), and are recreated as needed. You can use the built-in sqlite command-line

tools to query or test the database files, or just delete them. They’ll be rebuilt when

needed.

To access the files, you need root access to the /Library/CalendarServer/Documents/

folder and its subfolders.

For more information about the calendar file heirarchy, see Chapter 3, “Advanced iCal

Service Information.”

Backing Up and Restoring Calendar Files

In addition to backing up the configuration files listed in “Understanding iCal Service

Administration Configuration Files” on page 21, you should back up the data store. The

location of the data store is shown in the Settings tab of the iCal service administration

pane of Server Admin.

Because iCal service files are flat files, you can use any backup procedure you want to

save the files. You should maintain the original files’ POSIX permissions and ACL entries.

Your backup solution must preserve extended attributes.

You don’t need to back up the calendar database files in the file hierarchy. They are

disposable. However, there is a delegate database file at the top of the /principals/

hierarchy and that must be backed up. It contains all proxy/delegate relationships.

Your backup software needs root access to the /Library/CalendarServer/Documents/

folder and its subfolders to back them up.

Mac OS X Server provides several command-line tools for data backup and restoration:

Ârsync. Use to keep a backup copy of your data in sync with the original. The rsync

tool only copies files that have changed, but copies all extended attributes always.

WARNING: The delegate sqlite database file at the top of the /principals/ hierarchy is

not disposable. It contains all delegate (proxy) relationships. Do not be delete this file.

Chapter 2 Setting Up and Managing iCal Service 23

Âditto. Use to perform full file-level backups.

Âasr. Use to back up and restore an entire volume at disk block-level.

For more information about these commands, see Command-Line Administration.

The Mac OS X v10.5 Time Machine feature is not recommended for server file and

system backup of advanced configuration servers.

Note: You can use the launchdctl command to automate data backup using the

mentioned commands. For more information about using launchd, see Command-Line

Administration.

Deleting Unused Calendars

For security, privacy, or disk usage reasons, you may need to delete unused calendars.

After calendar files and folders are created in the data store, they are not removed

when a user, group, or resource is removed from the directory. This could potentially

cause unintended service behavior if a user, group, or resource is created at a future

time with the same name as the defunct one.

When a user, group, or resource is no longer actively using the calendar, you can easily

delete the files, which include calendars, events, todo lists, and attachments. To do so,

delete the user folder from the data store manually.

If you delete the files for security or privacy reasons, use a secure-delete tool like the

Mac OS X command-line tool srm. For command usage, see the srm man page.

To delete the files, you need root access to the /Library/CalendarServer/Documents/

folder and its subfolders.

24 Chapter 2 Setting Up and Managing iCal Service

3Advanced iCal Service

Information

This chapter contains detailed information about iCal service

that is suitable for advanced system administrators.

iCal service provides calendar sharing, collaboration, and synchronization through the

CalDAV protocol.

CalDAV is a standard for accessing calendars using WebDAV. It is used to store, query,

and retrieve collections of iCalendar (.ics) standard events and todo (tasks) from a

CalDAV enabled server to any suitable client. It is an open standard that allows different

software products from many development sources to interoperate.

CalDAV architecture treats all events (individual events in a calendar, todo lists, and out

of office blocks) as HTTP resources. The events are transferred using standard HTTP

with additional functionality to handle the special needs of calendar event

management.

For example, a CalDAV server must use WebDAV access control (RFC3744), must be able

to parse iCalendar files (RFC2445), and must be able to conduct calendaring-specific

operations such as doing free-busy time lookup and expanding repeating events.

Each event is an iCalendar (.ics) formatted file. These events are grouped in collections

(user-perceived calendars) and indexed for searching and quick retrieval.

Understanding Service Implementation Details

The following sections describe iCal service implementation details including tools,

user provisioning, and process management.

Configuration Tools

iCal service uses two front-end tools:

ÂServer Admin for Mac OS X

ÂA combination of caldavd and caladmin for the command-line interface of Darwin

server.

26 Chapter 3 Advanced iCal Service Information

In both cases, the front ends read from a configuration plist file (/etc/caldavd/

caldavd.plist) to set service parameters. The plist file is an XML property list that

specifies server options such as:

ÂThe network TCP port to bind to

ÂWhether to use SSL

ÂThe names and locations of support files

User Provisioning

iCal service users are provisioned in Open Directory. If you don’t have an Open

Directory infrastructure, there are several ways to provide iCal service to users

authenticated through other directory systems.

If you are using Active Directory (AD), you can use the AD plugin to Open Directory

and make an Open Directory server that forwards authentication requests to the AD

domain. This method adds the needed directory schema keys and values to what’s

returned from the AD domain to allow use of iCal service without needing to change

the AD directory schema.

The easiest way to enable this is to install Mac OS X Server in workgroup configuration

mode, attached to the AD directory. All necessary configuration parameters on

Mac OS X Server are done for you. To find out more about workgroup configuration,

see Getting Started and Server Administration.

If you install on an advanced configuration server, you must configure your server

manually.

To find out more about configuring and advanced configuration server to work with

Active Directory, see Open Directory Administration.

Process and Load Management

The daemon for iCal service has several functional modes. It can be run in master, slave,

or combined mode.

ÂThe master process: Acts as a load balancer for slave mode daemons. When iCal

service is running in this mode, it forwards calendar connection requests to another

instance of the daemon running in slave mode.

ÂThe slave process: Accepts forwarded connections delegated by the master process.

This process replies to client requests and accesses the calendar data store, answers

HTTP requests, and does event parsing.

ÂThe combined process (default): Acts as both master and slave. It spawns one slave

process for every processor core available on the system. It also acts as its own load-

balancing master, delegating connections to its own spawned slave mode daemons.

Chapter 3 Advanced iCal Service Information 27

For these processes to be balanced, they must have a shared storage location. This can

be as simple as a single file system location for a multiprocessor Xserve. If the processes

are spread between several servers, the servers must use a shared storage solution like

Xsan.

If the master processes can’t adequately distribute the load, you can use a hardware

load balancer built to handle web connections.

Implementation Details

iCal service is implemented using Python v2.4 or later, using the Twisted network

framework. This open source framework gives excellent network performance using an

asynchronous networking model without needing to use threads.

The Twisted framework does not support WebDAV level 2 locking or WebDAV

versioning (neither of which is required for CalDAV).

The following are software dependencies in implementing the service:

Understanding the Data Store File Hierarchy

The main data store location is specified in the Settings tab of the iCal service

administration pane in Server Admin. By default it is /Library/CalendarServer/

Documents/.

This is the organization of the data store:

Third-party tools Apple-provided tools

Twisted PyKerberos

pyXML PyOpenDirectory

pyOpenSSL

pysqlite

vobject

xattr

dateutil

ZOPEInterface

Location Description

./principles/<users | groups > Contains folders for each user or group that has

been granted calendar access and that has

logged in to the service at least once.

./principles/<resources | locations> Contains folders for each resource or location that

has been granted calendar access and that has

had its calendar accessed at least once.

28 Chapter 3 Advanced iCal Service Information

Getting the Source Code

iCal service is available as open source software under the Apache 2.0 license. The code

and comments can be inspected. Administrators who want to contribute features or

bug fixes can do so at the project site calendarserver.org.

./principles/sudoers Contains folders for each calendar service

administrator.

./principals/__uids__ Contains folders for every user, group, resource, or

location, using its directory-record unique

identifier as the name.

./principles/<users | groups>/<username> This is an HTTP resource that represents the

calendar user or group settings in the directory

service.

./principles/<users | groups>/<username>/

calendar-proxy-read

./principles/<users | groups>/<username>/

calendar-proxy-write

Identifies the principals used to provide calendar

delegate rights to other users.

./calendars/<users | groups> Contains folders for each user or group that has

created at least one event, todo, or calendar.

./calendars/<resources | locations> Contains folders for each resource or location that

has accepted at least one event, todo, or calendar.

./calendars/<users | groups | resources |

locations>/<name>/calendar

Contains iCalendar (.ics) files of each event in the

principle’s calendar.

./calendars/<users | groups | resources |

locations>/<name>/inbox

Contains iTIP file invitations to other user’s

pending events.

./calendars/<users | groups | resources |

locations>/<name>/outbox

Contains iTip file invitations waiting to be

distributed to invitees.

./calendars/<users | groups | resources |

locations>/<name>/dropbox

Contains files attached to events, either from a

user’s self-created event or from participant

events.

Location Description

Chapter 3 Advanced iCal Service Information 29

Where to Go for Additional Information

Related Web Sites

ÂOpen Source project site: calendarserver.org

ÂIndustry calendaring and scheduling consortium: calconnect.org

Standards Documents

iCalendar Standards

ÂRFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar)

ÂRFC 2446: iCalendar Transport-Independent Interoperability Protocol (iTIP)

ÂRFC 2447: iCalendar Message-Based Interoperability Protocol (iMIP)

ÂRFC 3283: Guide to Internet Calendaring

Revised Standards (in progress)

ÂDRAFT RFC 2445bis: Internet Calendaring and Scheduling Core Object Specification

(iCalendar)

ÂDRAFT RFC 2446bis: iCalendar Transport-Independent Interoperability Protocol (iTIP)

ÂDRAFT RFC 2447bis: iCalendar Message-Based Interoperability Protocol (iMIP)

HTTP Standards

ÂRFC 2616: Hypertext Transfer Protocol—HTTP/1.1

ÂRFC 2617: HTTP Authentication: Basic and Digest Access Authentication

ÂRFC 4559: SPNEGO-based Kerberos and NTLM HTTP Authentication

WebDAV Standards

ÂRFC 2518: HTTP Extensions for Distributed Authoring—WEBDAV

ÂDRAFT RFC 2518bis: HTTP Extensions for Distributed Authoring—WEBDAV

ÂRFC 3253: Versioning Extensions to WebDAV

ÂRFC 3744: WebDAV Access Control Protocol

ÂRFC 4331: Quota and Size Properties for Distributed Authoring and Versioning (DAV)

Collections

CalDAV Standards

ÂRFC 4791: Calendaring Extensions to WebDAV (CalDAV)

ÂDRAFT: Scheduling Extensions to CalDAV

30 Chapter 3 Advanced iCal Service Information

Glossary

access control A method of controlling which computers or users can access a

network or network services.

access control list See ACL.

ACL Access Control List. A list, maintained by a system, that defines the rights of users

and groups to access resources on the system.

Active Directory The directory and authentication service of Microsoft Windows 2000

Server, Windows Server 2003, and Windows Server 2003 R2.

administrator A user with server or directory domain administration privileges.

Administrators are always members of the predefined “admin” group.

authentication The process of proving a user’s identity, typically by validating a user

name and password. Usually authentication occurs before an authorization process

determines the user’s level of access to a resource. For example, file service authorizes

full access to folders and files that an authenticated user owns.

authorization The process by which a service determines whether it should grant a

user access to a resource and how much access the service should allow the user to

have. Usually authorization occurs after an authentication process proves the user’s

identity. For example, file service authorizes full access to folders and files that an

authenticated user owns.

back up (verb) The act of creating a backup.

backup (noun) A collection of data that’s stored for the purpose of recovery in case

the original copy of data is lost or becomes inaccessible.

balance An Xsan storage pool allocation strategy. Before allocating space on a volume

consisting of more than one storage pool, Xsan checks available storage on all pools,

and then uses the one with the most free space.

blog A webpage that presents chronologically ordered entries. Often used as an

electronic journal or newsletter.

32 Glossary

CalDAV CalDAV is a standard protocol to enable calendar access via WebDAV. CalDAV

models events (meetings, appointments, blocked-off-time, or todo tasks) as HTTP

resources in iCalendar format.

certificate Sometimes called an “identity certificate” or “public key certificate.” A file in

a specific format (Mac OS X Server uses the X.509 format) that contains the public key

half of a public-private keypair, the user’s identity information such as name and

contact information, and the digital signature of either a Certificate Authority (CA) or

the key user.

Certificate Authority An authority that issues and manages digital certificates in order

to ensure secure transmission of data on a public network. See also certificate.

certification authority See Certificate Authority.

cleartext Data that hasn’t been encrypted.

command line The text you type at a shell prompt when using a command-line

interface.

command-line interface A way of interacting with the computer (for example, to run

programs or modify file system permissions) by entering text commands at a shell

prompt..

daemon A program that runs in the background and provides important system

services, such as processing incoming email or handling requests from the network.

DHCP Dynamic Host Configuration Protocol. A protocol used to dynamically distribute

IP addresses to client computers. Each time a client computer starts up, the protocol

looks for a DHCP server and then requests an IP address from the DHCP server it finds.

The DHCP server checks for an available IP address and sends it to the client computer

along with a lease period—the length of time the client computer may use the

address.

digest A computationally efficient function mapping binary strings of arbitrary length

to binary strings of some fixed length.

directory domain A specialized database that stores authoritative information about

users and network resources; the information is needed by system software and

applications. The database is optimized to handle many requests for information and to

find and retrieve information quickly. Also called a directory node or simply a directory.

directory services Services that provide system software and applications with

uniform access to directory domains and other sources of information about users and

resources.

disk A rewritable data storage device.

Glossary 33

DNS Domain Name System. A distributed database that maps IP addresses to domain

names. A DNS server, also known as a name server, keeps a list of names and the IP

addresses associated with each name.

DNS domain A unique name of a computer used in the Domain Name System to

translate IP addresses and names. Also called a domain name.

domain Part of the domain name of a computer on the Internet. It does not include

the top-level domain designator (for example, .com, .net, .us, .uk). Domain name

“www.example.com” consists of the subdomain or host name “www,” the domain

“example,” and the top-level domain “com.”

domain name See DNS name.

Domain Name System See DNS.

file system A scheme for storing data on storage devices that allows applications to

read and write files without having to deal with lower-level details.

firewall Software that protects the network applications running on your server. IP

firewall service, which is part of Mac OS X Server software, scans incoming IP packets

and rejects or accepts these packets based on a set of filters you create.

host name A unique name for a computer, historically referred to as the UNIX

hostname.

HTTP Hypertext Transfer Protocol. The client/server protocol for the World Wide Web.

HTTP provides a way for a web browser to access a web server and request hypermedia

documents created using HTML.

Hypertext Transfer Protocol See HTTP.

iCalendar (RFC 2445) iCalendar is a standard for calendar and todo (task) data

exchange. Sometimes this standard is called “iCal” which is also the name of Apple’s

calendar product which implements the iCalendar standard.

iTIP iCalendar Transport-Independent Interoperability Protocol. A protocol standard

which defines a method for exchanging iCalendar information for group calendaring

and scheduling between calendar users.

KDC Kerberos Key Distribution Center. A trusted server that issues Kerberos tickets.

Kerberos A secure network authentication system. Kerberos uses tickets, which are

issued for a specific user, service, and period of time. After a user is authenticated, it’s

possible to access additional services without retyping a password (called single sign-

on) for services that have been configured to take Kerberos tickets. Mac OS X Server

uses Kerberos v5.

34 Glossary

Kerberos Key Distribution Center See KDC.

Kerberos realm The authentication domain comprising the users and services that are

registered with the same Kerberos server. The registered users and services trust the

Kerberos server to verify each other’s identities.

LDAP Lightweight Directory Access Protocol. A standard client-server protocol for

accessing a directory domain.

Lightweight Directory Access Protocol See LDAP.

Mac OS X The latest version of the Apple operating system. Mac OS X combines the

reliability of UNIX with the ease of use of Macintosh.

Mac OS X Server An industrial-strength server platform that supports Mac, Windows,

UNIX, and Linux clients out of the box and provides a suite of scalable workgroup and

network services plus advanced remote management tools.

mount (verb) To make a remote directory or volume available for access on a local

system. In Xsan, to cause an Xsan volume to appear on a client’s desktop, just like a

local disk.

mount point In streaming, a string used to identify a live stream, which can be a

relayed movie stream, a nonrelayed movie stream, or an MP3 stream. Mount points

that describe live movie streams always end with a .sdp extension.

Open Directory The Apple directory services architecture, which can access

authoritative information about users and network resources from directory domains

that use LDAP, Active Directory protocols, or BSD configuration files, and network

services.

Open Directory master A server that provides LDAP directory service, Kerberos

authentication service, and Open Directory Password Server.

PID Process ID. A number assigned to a UNIX process when it starts. The PID allows you

to refer to the process at a later time.

plaintext Text that hasn’t been encrypted.

port A server uses port numbers to determine which application should receive data

packets. Firewalls use port numbers to determine whether data packets are allowed to

traverse a local network. “Port” usually refers to either a TCP or UDP port.

privileges The right to access restricted areas of a system or perform certain tasks

(such as management tasks) in the system.

process A program that has started executing and has a portion of memory allocated

to it.

Glossary 35

process ID See PID.

realm General term with multiple applications. See WebDAV realm, Kerberos realm.

root An account on a system that has no protections or restrictions. System

administrators use this account to make changes to the system’s configuration.

SACL Service Access Control List. Lets you specify which users and groups have access

to specific services. See ACL.

server A computer that provides services (such as file service, mail service, or web

service) to other computers or network devices.

standalone server A server that provides services on a network but doesn’t get

directory services from another server or provide directory services to other computers.

TCP Transmission Control Protocol. A method used with the Internet Protocol (IP) to

send data in the form of message units between computers over the Internet. IP

handles the actual delivery of the data, and TCP keeps track of the units of data (called

packets) into which a message is divided for efficient routing through the Internet.

Transmission Control Protocol See TCP.

Uniform Resource Locator See URL.

URL Uniform Resource Locator. The address of a computer, file, or resource that can be

accessed on a local network or the Internet. The URL is made up of the name of the

protocol needed to access the resource, a domain name that identifies a specific

computer on the Internet, and a hierarchical description of a file location on the

computer.

WebDAV Web-based Distributed Authoring and Versioning. A live authoring

environment that allows client users to check out webpages, make changes, and then

check the pages back in to the site while the site is running.

WebDAV realm A region of a website, usually a folder or directory, that’s defined to

provide access for WebDAV users and groups.

weblog See blog.

Weblog service The Mac OS X Server service that lets users and groups securely create

and use blogs. Weblog service uses Open Directory authentication to verify the identity

of blog authors and readers. If accessed using a website that’s SSL enabled, Weblog

service uses SSL encryption to further safeguard access to blogs.

36 Glossary

Index

access

ACLs 22

delegating 19, 22, 26

permissions 18, 22

SACLs 17

user 17, 18

ACLs (access control lists) 22

Active Directory 26

asr tool 23

attachments 17

authentication 10, 15, 19

authorization 17

backups, calendar file 22

CalConnect Consortium 10

CalDAV (Calendar-Based Distributed Authoring and

Versioning) protocol 10, 11, 25, 29

calendar service. See iCal service

certificates 20

clients

delegating access 19

integration with iCal 11

Apple MacOSXServer ICal Service Administration User Manual Mac OSXServerv10.5 I Cal Admin 10.5

Navigation menu

Versions of this User Manual:

Views

Navigation