ICal server with alternate LDAP

Similar Messages

• How to use iCal Server with clients?

  Ok, so since I can't find this anywhere... How do I use iCal Server with other desktop clients? I've selected the user, enabled calendaring, the user can authenticate in web-based group calendars. But then I'm stuck.
  How do I give them their own calendar?
  In iCal, I go to Accounts and try and enter the info but it fails every time. I tried the dns name like so: "calendar.example.edu" but it generates an error. But the user can log in to the web calendar for groups. Where is the users individual calendar located?
  The help menu ignores that field as if it's not needed, but then it fails because the calendar doesn't know where the server is. The clients can't all be OD bound, so this has to work outside of Open Directory. According to Apple other CalDAV clients can connect too. How? Computers just don't "connect" on their own.
  Anyone know the answer?

  I was getting the same error when I tried to subscribe to a calendar using:
  Subscribe to: http://myserver.example.com:8008/
  principals/users/usershortname
  I found that if I added a trailing slash to the URL then it would work :
  Subscribe to: http://myserver.example.com:8008/
  principals/users/usershortname/
  (the way I found this was to navigate via the web browser to http://myserver.example.com:8008 then authenticate as a user, then navigating through to http://myserver.example.com:8008/principals/users/ where you can see all the user names all with a trailing slash after them)
  hope this helps
  Message was edited by: maximumjack

• Can't get Google CAL to work with iCAL "Server with a secure communication unavailable"

  I can't add my google account to iCal...
  Error message:
  "Server with a secure communication unavailable"
  "Your calendar acct isn't on a server that can receive your calendar information securely.."
  I have had this work just fine in the past, had to remove my accounts a while back, decided to add them back, and this error keeps popping up...
  Can anyone help??
  Googled and Searched this forum with no success. Found some suggestions but nothing worked.
  Thanks,

  I have used the CalDAV option from the pop list and the server option is : https://www.google.com/calendar/dav/[email protected]/user    , replace with your email the underlined
  I've found this here .

• Need to test iCal server with Mobile devices

  I have a deployment of the iCal Server rolling out to a global user community. I know it works with the iPhone and iPad, but I need other mobile platforms that we can test it with. So if there are any users with other mobile devices that want to test connections to a Caldav server - I would love to be able to try it out.

  Hi Dave,
  According to your description, my understanding is that you want to make the calendars in SharePoint can be viewed in iCalendar format in the mobile devices.
  To make the SharePoint calendars be viewed in iCalendar format and then you can sync your iPhone with the calendar , you can use the
  MashPoint REST API. Please refer to the link below:
  http://community.bamboosolutions.com/blogs/mashpoint/archive/2010/10/07/how-to-synch-your-iphone-ipad-with-a-sharepoint-calendar.aspx
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• HELP: Can not connect LDAP server with 64bit ldap csdk5.08 on Solaris10

  We are using 64bit ldap csdk5.08 on SunOS5.10. But it doesn't work.
  We wrote a simple client program that connects using ldap_simple_bind_s() function. When I run the code it gives an error saying 'Can't connect to the LDAP server - Connection refused' .
  At the same time using snoop to capture network packages on the ldap server , it shows no package received at all.
  But if we use 32bit ldap library, the program works well and no error is raised.
  And the 64bit ldap tool ldapsearch also works well, it can search data from the server successfully.
  The sample code:
  ==================================================
  #include <ldap.h>
  #include <stdio.h>
  int
  main( int argc, char **argv )
       LDAP *ld;
       int rc;
       /* Get a handle to an LDAP connection. */
       if ( (ld = ldap_init( "150.236.42.53", 38902)) == NULL )
            perror( "ldap_init" );
            return( 1 );
       /* Bind anonymously to the LDAP server. */
       rc = ldap_simple_bind_s( ld, NULL, NULL );
       if ( rc != LDAP_SUCCESS )
            ldap_perror(ld, "ldap_simple_bind_s:");
       return( 1 );
  }

  This looks like a mismatch between C-sdk libraries and Solaris native libraries.
  Are you sure your program loads the correct libraries ?
  Ludovic.

• Calendar Server with multiple LDAP servers

  Can anybuddy tell me how calendar server shifts to failover (2nd) Directory Server when one fails ? What will be the parameter in ics.conf file ?
  Thanx,
  Rehan

  Can anybuddy tell me how calendar server shifts to failover (2nd) Directory Server when one fails ? What will be the parameter in ics.conf file ?
  Thanx,
  Rehan

• Tuxedo: server with alternate APPDIR directory

  Good day,
  Is there a way to Change the application directory for a group of servers?
  We thought that by providing a different APPDIR in an ENVFILE affiliated to a specific GROUP, it would overwright the APPDIR  variable provided in the MACHINE section.
  But it does not! Our .exe file for the server has to be in the APPDIR (from *Machine section) or it is not found by Tuxedo.
  Any alternative?
  Ash
  Edited by: ashanty on 2012-02-02 16:21

  Hi Ash,
  As the name of the executable. So often the *SERVERS section looks like:
  *SERVERS
  simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
  You can instead use:
  *SERVERS
  /home/app1/simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
  Thus telling Tuxedo where the server binary is located. If you don't specify a full directory path, Tuxedo uses APPDIR as the default. So the following are equivalent:
  *SERVERS
  simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
  and
  *SERVERS
  /home/mine/simpapp SRVGRP=APPS SRVID=1 MIN=1 MAX=1
  where /home/mine is the location of APPDIR.
  Regards,
  Todd Little
  Oracle Tuxedo Chief Architect

• Which mail client do I use with iCal server?

  I will soon have os x server, and I want to use iCal server with mail. I want to schedule meetings, etc., like Exchange. However, many people have Outlook. Some have Entourage. Will these clients with with iCal for scheduling meetings and if not which client can I use? Thank you.

  Which Platform are the clients?
  Apple Mail does not work directly with iCal server. The Leopard version of iCal is what is used for scheduling. Mail is not like Outlook on PC or Entourage on the Mac where email, calendering and contacts are in one application. Leopard uses Mail, iCal, Address Book to provide similar functions.
  Also check out this doc
  http://images.apple.com/server/macosx/docs/iCalService_Admin_v10.5_2ndEd.pdf
  Tells you all the 3rd Party client apps that work with iCal Server.

• Error in iCal Server

  I hace Mac OSX Server 10.5.8
  I am using iCal-Server
  With iOS 6   I could connect to the iCal-Server without problems
  Now I have iOS 7  and i can connect to the iCal-Server, but not read the entires.
  Nothing appears on iOS 7
  I get the following errors on my server in /var/log/caldavd/error.log
  2013-10-10 11:34:05+0200 [-] [caldav-8010]  [AMP,client] REPORT /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/9069E96B-98D8-4BEA-85B C-39676C482910/ HTTP/1.1
  2013-10-10 11:34:05+0200 [-] [caldav-8010]  [-] Exception rendering:
  2013-10-10 11:34:05+0200 [-] [caldav-8010]  [-] Unhandled Error
  2013-10-10 11:34:05+0200 [-] [caldav-8010]      Traceback (most recent call last):
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 239, in callback
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          self._startRunCallbacks(result)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 304, in _startRunCallbacks
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          self._runCallbacks()
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 317, in _runCallbacks
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          self.result = callback(self.result, *args, **kw)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 601, in gotResult
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          _deferGenerator(g, deferred)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]      --- <exception caught here> ---
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 576, in _deferGenerator
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          result = g.next()
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twistedcaldav/method/report.py", line 64, in http_REPORT
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          doc = doc.getResult()
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 555, in getResult
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          self.result.raiseException()
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 317, in _runCallbacks
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          self.result = callback(self.result, *args, **kw)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/web2/dav/util.py", line 66, in gotAllData
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          return filter(result)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/web2/dav/util.py", line 79, in parse
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          doc = davxml.WebDAVDocument.fromString(xml)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/web2/dav/element/parser.py", line 223, in parse
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          parser.parse(source)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/xml/sax /expatreader.py", line 107, in parse
  2013-10-10 11:34:05+0200 [-] [caldav-8010]         
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/xml/sax /xmlreader.py", line 123, in parse
  2013-10-10 11:34:05+0200 [-] [caldav-8010]         
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/xml/sax /expatreader.py", line 207, in feed
  2013-10-10 11:34:05+0200 [-] [caldav-8010]         
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/xml/sax /expatreader.py", line 349, in end_element_ns
  2013-10-10 11:34:05+0200 [-] [caldav-8010]         
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twisted/web2/dav/element/parser.py", line 178, in endElementNS
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          element = top["class"](*top["children"], **top["attributes"])
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twistedcaldav/caldavxml.py", line 1348, in __init__
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          super(TimeRange, self).__init__(*children, **attributes)
  2013-10-10 11:34:05+0200 [-] [caldav-8010]        File "/usr/share/caldavd/lib/python/twistedcaldav/caldavxml.py", line 87, in __init__
  2013-10-10 11:34:05+0200 [-] [caldav-8010]          self.end   = parse_date_or_datetime(attributes["end"  ])
  2013-10-10 11:34:05+0200 [-] [caldav-8010]      exceptions.KeyError: 'end'
  2013-10-10 11:34:05+0200 [-] [caldav-8010]
  2013-10-10 11:36:27+0200 [-] [caldav-8010]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/ HTTP/1.1
  2013-10-10 11:36:27+0200 [-] [caldav-8010]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/inbox/ HTTP/1.1
  2013-10-10 11:36:39+0200 [-] [caldav-8009]  [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
  2013-10-10 11:36:39+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/ HTTP/1.1
  2013-10-10 11:39:32+0200 [-] [caldav-8009]  [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
  2013-10-10 11:39:33+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/ HTTP/1.1
  2013-10-10 11:39:33+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/ HTTP/1.1
  2013-10-10 11:39:33+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/794B35D8-4D52-4E14-A7C 7-CE5B93DBB294/ HTTP/1.1
  2013-10-10 11:39:33+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/794B35D8-4D52-4E14-A7C 7-CE5B93DBB294/ HTTP/1.1
  2013-10-10 11:39:56+0200 [-] [caldav-8010]  [AMP,client] OPTIONS /calendars/users/bschwarz/794B35D8-4D52-4E14-A7C7-CE5B93DBB294/ HTTP/1.0
  2013-10-10 11:39:56+0200 [-] [caldav-8010]  [AMP,client] PROPFIND /calendars/users/bschwarz/794B35D8-4D52-4E14-A7C7-CE5B93DBB294/ HTTP/1.0
  2013-10-10 11:41:38+0200 [-] [caldav-8009]  [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
  2013-10-10 11:41:38+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/ HTTP/1.1
  2013-10-10 11:44:58+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/ HTTP/1.1
  2013-10-10 11:44:58+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/ HTTP/1.1
  2013-10-10 11:44:58+0200 [-] [caldav-8009]  [AMP,client] PROPFIND /calendars/__uids__/3ED18185-3796-4375-8341-65166FF18149/794B35D8-4D52-4E14-A7C 7-CE5B93DBB294/ HTTP/1.1

  I was having the same exact problem, and fixed it by either:
  1) Reordering the search policy in directory utility so that LDAP was ahead of AD
  2) Changing the authentication method within the iCal Server Utility to Password (it was set to kerberos).
  I have been doing battle with kerberos, iCal, and AD for the past few weeks. A lot of trial and error has gone into this process, so I'm sorry I can't be more specific...
  Good Luck.

• Messaging server with openldap

  Hi all,
  Is anybody here has an experience in handling sun java messaging server 7u2 with open ldap?
  I tried to connect the messaging server with open ldap but still got error "Could not connect to LDAP server".
  Isn't possible for them to communicate?
  Pls advise.

  Hi, Shane,
  I seem to be half way with the external LDAP stuff but run into problems. I added a set of objectclasses and attribute types to OpenLDAP. Next I changed the option.dat (and ran a cnbuild):
  ALIAS_URL0=extldap:///$V?*?sub?$R
  REVERSE_URL=extldap:///$V?$N?sub?$R
  LDAP_EXT_HOST=10.20.30.40
  LDAP_EXT_USERNAME=cn=Manager,dc=domain,dc=nl
  LDAP_EXT_PASSWORD=secret
  LDAP_EXT_BASEDN=dc=domain,dc=nl
  LDAP_EXT_MAX_CONNECTIONS=10
  LDAP_EXT_INITIAL_CONNECTIONS=0
  DOMAIN_MATCH_URL=extldap:///dc=domain,dc=nl?objectclass?sub?(&(objectClass=sunManagedOrganization)(|(associatedDomain=$D)(sunPreferredDomain=$D)))
  Would this constitue a valid configuration?
  The good news is that I see LDAP connections arriving at the OpenLDAP server. The bad news is that:
  1. I get errors on the ALIAS_URL0 and REVERSE_URL LDAP queries (see below for the log)
  2. the $D in the DOMAIN_MATCH_URL is not replaced by the domainname before the LDAP query is started, so in the output of imsimta test -rewrite -debug and in the log file of OpenLDAP the $D characters show up instead of the domainname they should represent
  Ad 1. error log in OpenLDAP:
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: read active on 12
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_get(12)
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_get(12): got connid=10
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_read(12): checking for input on id=10
  Aug 28 15:18:50 ws22763 slapd[7535]: conn=10 op=0 do_bind
  Aug 28 15:18:50 ws22763 slapd[7535]: >>> dnPrettyNormal: <cn=Manager,dc=domain,dc=nl>
  Aug 28 15:18:50 ws22763 slapd[7535]: <<< dnPrettyNormal: <cn=Manager,dc=domain,dc=nl>, <cn=manager,dc=domain,dc=nl>
  Aug 28 15:18:50 ws22763 slapd[7535]: conn=10 op=0 BIND dn="cn=Manager,dc=domain,dc=nl" method=128
  Aug 28 15:18:50 ws22763 slapd[7535]: do_bind: version=3 dn="cn=Manager,dc=domain,dc=nl" method=128
  Aug 28 15:18:50 ws22763 slapd[7535]: ==> bdb_bind: dn: cn=Manager,dc=domain,dc=nl
  Aug 28 15:18:50 ws22763 slapd[7535]: conn=10 op=0 BIND dn="cn=Manager,dc=domain,dc=nl" mech=SIMPLE ssf=0
  Aug 28 15:18:50 ws22763 slapd[7535]: do_bind: v3 bind: "cn=Manager,dc=domain,dc=nl" to "cn=Manager,dc=domain,dc=nl"
  Aug 28 15:18:50 ws22763 slapd[7535]: send_ldap_result: conn=10 op=0 p=3
  Aug 28 15:18:50 ws22763 slapd[7535]: send_ldap_result: err=0 matched="" text=""
  Aug 28 15:18:50 ws22763 slapd[7535]: send_ldap_response: msgid=1 tag=97 err=0
  Aug 28 15:18:50 ws22763 slapd[7535]: conn=10 op=0 RESULT tag=97 err=0 text=
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: activity on 1 descriptor
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: activity on:
  Aug 28 15:18:50 ws22763 slapd[7535]:
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: activity on 1 descriptor
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: activity on:
  Aug 28 15:18:50 ws22763 slapd[7535]: 12r
  Aug 28 15:18:50 ws22763 slapd[7535]:
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: read active on 12
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_get(12)
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_get(12): got connid=10
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_read(12): checking for input on id=10
  Aug 28 15:18:50 ws22763 slapd[7535]: ber_get_next on fd 12 failed errno=0 (Success)
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_read(12): input error=-2 id=10, closing.
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_closing: readying conn=10 sd=12 for close
  Aug 28 15:18:50 ws22763 slapd[7535]: connection_close: conn=10 sd=12
  Aug 28 15:18:50 ws22763 slapd[7535]: daemon: removing 12
  Aug 28 15:18:50 ws22763 slapd[7535]: conn=10 fd=12 closed (connection lost)
  and in the output of imsimta test -rewrite -debug:
  15:15:10.38: Looking up host "host.domain.nl".
  15:15:10.38: - found on channel l
  15:15:10.38: Routelocal flag set; scanning for % and !
  15:15:10.38: Checking reverse URL cache for: [email protected]
  15:15:10.38: Applying reverse URL pattern extldap:///$V?$N?sub?$R to: [email protected]
  15:15:10.38: Resulting URL: extldap:///$V?$N?sub?$R
  15:15:10.38: mmc_open_url_reason called to open extldap:///$V?$N?sub?$R, flags = 384
  15:15:10.38: URL with quotes stripped: extldap:///$V?$N?sub?$R
  15:15:10.38: LDAP URL identified
  15:15:10.38: URL context #1 will be used
  15:15:10.38: Performing URL search on: extldap:///$V?$N?sub?$R
  15:15:10.39: URL open result -2: Search failed: Bad search filter (87)
  15:15:10.39: URL resolution failed, status = -2
  15:15:10.39: Override postmaster:
  15:15:10.39: Mapped return address: [email protected]
  15:15:10.39: from_access mapping check: ||MAIL|l|[email protected]|
  Ad 2: the imsimta test -rewrite output:
  *** Debug output from rewriting a forward envelope address:
  15:10:59.48: Rewriting: Mbox = "user", host = "domain.nl", domain = "$*", literal = "", tag = ""
  15:10:59.48: Rewrite: "$*", position 0, hash table -
  15:10:59.48: Found: "$A$E$F$U%[email protected]"
  15:10:59.48: Match, pattern = "domain.nl", current = "(*domaincheck*)"
  15:10:59.48: old state = not checked.
  15:10:59.48: Domain check on domain.nl.
  15:10:59.49: mmc_open_url_reason called to open extldap:///dc=domain,dc=nl?objectclass?sub?(&(objectClass=sunManagedOrganization)(|(associatedDomain=$D)(sunPreferredDomain=$D))), flags = 0
  15:10:59.49: URL with quotes stripped: extldap:///dc=domain,dc=nl?objectclass?sub?(&(objectClass=sunManagedOrganization)(|(associatedDomain=$D)(sunPreferredDomain=$D)))
  15:10:59.49: LDAP URL identified
  15:10:59.49: URL context #1 will be used
  15:10:59.49: Performing URL search on: extldap:///dc=domain,dc=nl?objectclass?sub?(&(objectClass=sunManagedOrganization)(|(associatedDomain=$D)(sunPreferredDomain=$D)))
  15:10:59.50: URL open result 0: Search succeeded but result set was empty
  15:10:59.50: Added domain result 0 to cache for domain.nl.
  15:10:59.50: new state = fail pending.
  15:10:59.50: Rewrite failed due to prechannel mismatch.
  and in OpenLDAP:
  Aug 28 15:14:39 ws22763 slapd[7535]: conn=9 op=1 SRCH base="dc=domain,dc=nl" scope=2 deref=3 filter="(&(objectClass=sunManagedOrganization)(|(associatedDomain=$d)(?sunPreferredDomain=$D)))"
  Some questions:
  1. are the settings in option.dat correct
  2. if so, why is the $D not expanded before the LDAP lookup is performed?
  3. it seems OpenLDAP doesn't like the search filter; where can I find the meaning of the $R
  Your help greatly appreciated.
  /rolf

• ICal Server, iPhone, Delegates (or lack there of) & Alerts

  I have set up iCal Server, with a company-wide calendar, with all employees added as delegates. When I add an employee's CalDAV account on their 3.0 iPhone, they don't see the company-wide calendar, because iPhone 3.0 doesn't support delegates. But then when I set the company-wide iCal CalDAV on the iPhone, and set an alert, obviously every iPhone in the company receives the alert. Even when I turn off "New Alert Notices" in the iPhone settings, the iPhones still receive the alerts. I would like to avoid every iPhone in the company from receiving every alert, yet be able to view and add events to the company-wide calendar.
  Any ideas?

  This doesn't answer your question but there is a way to make delegates work on the iPhone. If you are setup as a delegate of someone's calendars you can trick the iPhone into giving you full access to that calendar. For each delegate you need a separate CalDAV account setup in the iPhone which is a pain but doable for small companies.
  Setup the CalDAV account with your server and your login information. Put anything you want for the description but I suggest the name of the calendar user you are gaining access to.
  When done, go back into the account details and click Advanced Settings. Click the Account URL and change the end of the URL from: "\yourname" to "\Jane" (in my example, use the short name of the person you're accessing)
  When you go back into your list of calendars you will see this new category with the calendars listed.

• ICal Server - 2 users out of many cannot see availability

  Hi..
  There seems to be a strange issue with 2 users out of many in my configuration.
  I have a server running OS X Server 10.6.6 with iCal Server (among other services - EMail, OD, etc) configured.
  There are several (50+) users configured in WGM.
  Basic Calendar operation...
  - Connect (via caldav) to the iCal Server with iCal, or using the Web interface
  - create a new event
  - add invitees, or one of the configured locations
  - view the 'availability' of the invitees or locations
  .. works as advertised, showing checkmark or whatever for the person or location, as well as your own 'work times' as configured in iCal preferences...
  .. except for 2 of the users.
  The name / location autocomplete works as expected.
  The name of the person or location is displayed normally, but there is an exclamation mark - ! - beside the name.
  There is no display of the busy times or availability in the panel provided.
  Their own 'work times' (configured on the account information preferences window) are not shown.
  (their availability is shown when other users invite and check)
  The invitation for the event that they create is sent to the other user, but when the request is accepted, there is no event in the other calendar, and no indication on their event that the user had accepted.
  I have gone thru the user's settings in WGM, compared them to other 'functioning' usernames, and found nothing that yells 'fix-me'.
  It is not a client side issue, as I have created the iCal caldav connection on other computers, used the web interface from other computers, (where it works for other users).
  The users were all created manually, following the same process, with the same basic information entered.
  These 2 specific users were created several minutes apart, are not sequential in the UIDs.
  I do not wish to delete and recreate these users, for various reasons...
  (as a last resort, may have to...)
  so....
  does ANYone have any suggestions or ideas where to look?
  thanks...

  ok.. so..
  riddle me this:
  why did this issue spontaneously resolve itself?
  have been testing and analyzing for over a week...
  one account started working yesterday.
  I tested the other account this morning, it didn't work on client computer.
  set up the caldav account on my computer, tested, it worked.
  went back to client computer, tested, it worked.
  not going to complain, but am curious as to the cause and solution...

• Getting iCal 3 to work with an LDAP server

  I've managed to set up Directory Utility with a third-party LDAP server (part of Communigate Pro) so that Directory will look up people.
  However I expected that once I did this, iCal would consult the LDAP server to do autocompletion when adding attendees to events. It doesn't.
  I thought maybe I could use Address Book's Directories Group to facilitate adding attendees. Both the LDAP server configured through Mail and the LDAP Directory Service configured through Directory Utility are visible here--but even though I can look people up, I can't drag any of the resulting names into the Attendees list in iCal.
  It seems I first have to drag them into a local Group; only then can I drag them into Attendee lists in iCal.
  Finally, iCal has a feature called the Address Panel which I thought might make use of an LDAP server configured through Directory Utility, but it hasn't worked for me. The Panel says "Open Directory Lookup" near the top of the window, which suggests it might not be intended to function with any old LDAP implementation.
  Any suggestions?
  By the way, I have the LDAP server's entry in Directory Utility as RFC 2307 with an empty searchbase for all mappings. However I haven't modified any of the mappings themselves.
  Thanks.

  iCal 3 looks for certain specific LDAP attributes which are (somewhat) unique to Open Directory.
  Some information on mimicking Open Directory can be found at http://wiki.expertmx.com/doku.php?id=applecalendarserver

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• ICal Server - Can't log in with Kerberos?

  Hello, I have been struggling the past few days getting ical server properly installed and configured to incorporate into our environment (just installed 10.6 server). I am very new to Kerberos, in fact never heard of it before getting into this, but would like to possibly use it as an authentication option. I have my master open directory installed and running, it says Kerberos is running, ldap as well as password server, all running. I created some test users in the LDAPv3/127.0.0.1 directory with open directory password types. I have opened ticket viewer and assigned tickets to these test users. In my Ical settings in server admin, I have authentication type set to kerberos. When I try to add an account via my ical client on my workstation (also 10.6 just installed), it searches and I get the message:
  "Ical found the CALDAV server "servername" but couldn't log in with the user name "username". Make sure the user name and password you entered are correct, then try again"
  If I click next and go to the calendar server options screen I select Ical server template, the port changes to 8443 I believe and I change it back to the default of 8008, and click use kerberos v5 for authentication, and uncheck Use SSL as I have that off. I then get the message of:
  "Authentication failed. The server does not support Kerberos authentication."
  Now, if I go completely backward, and change my iCal server authentication type to Digest, or Any Method, I can log in using any of my local user names and passwords and any open directory password users. This is great because it shows me the system is working, and I can get in, however what I don't quite understand is if I log in with a different/various usernames and passwords, I get a separate calendar for each login. When watching the apple demo video of Ical server here http://www.youtube.com/watch?v=7bzMTpLv-EE&feature=related , it seems there is one calendar, and multiple users are logging in using different logins, but accessing the same calendar.
  So I guess my main questions are, why isn't Kerberos working, and how do I get it to work, am I missing something? And how do I get Ical server to operate the way it is in the video, so people log in with different various logins but are able to see the same "work" calendar as shown in the video.
  I appreciate any help/insight. Thank you.

  One additional piece of information that I don't know if it is a bug or if anyone else has this problem, but when I am logged in with a user, and access my address panel via my ical client, none of my locations, resources, people, or groups show up, every category is empty. However, if I start to type a search for a location name or user that I know the name of that I have added, THEN it will show up and I can click/select it. Almost behaving completely backwards, any ideas why these are not showing up without using the search??? Thank you again.