Open f1-outsourcing opened 7 years ago
Hi,
Depending on the authentication mechanism(s) supported by your LDAP service, you may need to disable any of basic, digest, or kerberos that you don't expect to use. If your LDAP service doesn't use TLS, and you want to use Basic auth, you would need to enable AllowedOverWireUnencrypted for Basic.
See https://github.com/apple/ccs-calendarserver/blob/master/conf/caldavd-stdconfig.plist#L518 for the default settings.
Most LDAP services don't require authentication to retrieve records, so it makes sense that bypassing authentication in code allows you to get further if it's just authentication that's failing. It's not entirely secure, though :)
Also I see that the file you've changed is txdav/dps/server. DPS stands for 'directory proxy sidecar', and was an attempt to funnel all LDAP interactions for all caldavd daemons on a given host through a single caching process, as an alternative to using memcache for the shared directory cache. The DPS was implemented several versions ago. As it turns out, shortly after the 9.0 release, we found that this design does not scale well, and falls down somewhere between a cluster of ~12 servers with thousands of users (which suffered no noticeable adverse effects) and two podded clusters of ~40 servers in total, with 100k+ users which was basically unusable with the DPS in the mix. We stopped using the DPS and went back to the previous design that leans on memcached, and that's what is currently on master. I don't think any of the above implementation details are directly relevant to any of your recent postings, but I did want to make you aware incase you plan to scale out.
With or without adding this to the plist, I cannot get ldap to authenticate.
I think I is again related to getting records from Ldap, after modifiying your code:
I seem to be getting a working session, at least i can sync some calendars and addressbooks.