is loginAllowed indeed getting a Boolean value from ldap?

[f1-outsourcing]

if i do an ldapsearch from the same server and credentials as the calendarserver is installed, I can query the ldap record correctly

dn: uid=admin,ou=xxxx,ou=xxxx,ou=xxxx,dc=xxxx,dc=xxxx,dc=xxxx
o: Aqua7
userPassword:: e1NIQX1kSkQrdW5QTkR0ZDFYZFpvdk1vREtoSXNKRUU9
loginShell: /bin/false
uidNumber: 8809
gidNumber: 231
objectClass: top
objectClass: posixAccount
objectClass: account
objectClass: systemQuotas
objectClass: ritAdditionalInfo
homeDirectory: /home/users/admin
uid: admin
cn: admin
allowed: TRUE
active: active

# search result
search: 3
result: 0 Success

Yet when i try to authenticate with calendarserver I get something like authentication failure, login not allowed.

I have this in the plist

<key>loginAllowed</key>
            <string>allowed</string>

If I make this modification to the code,

txdav/who/directory.py:        # f1 edit
txdav/who/directory.py- self.loginAllowed = True
txdav/who/directory.py-        return self.loginAllowed

The login procedure proceeds.

This led me to believe that

1. Either the server is not getting my 'allowed' record from ldap
2. Maybe you are interpreting the result as string instead of boolean

[m0rgen]

Calendar Server is not expecting a boolean, it's expecting a matching string to indicate True. For example, if you set:

<key>loginAllowed</key>
<array>
   <string>calendarStatus:active</string>
</array>

...if the LDAP attribute "calendarStatus" has the value "active", that will allow login for the associated account. It's done this way to be flexible and work with whatever existing LDAP schema you might have.

As of a few minutes ago, if you're not interested in using loginAllowed to control login access, you can now leave that out of your plist file.