Debugging/Fixing Sun Calendar Permissions

July 5, 2006 | 2 Comments

Sun Java Enterprise System Calendar Server ScreenshotAs part of the Luminis Platform, we run the Sun Java Enterprise System Calendar Server, previously called SunOne Calendar Server, previously known as iPlanet Calendar Server. As expected, this calendar server has a fairly robust (read complicated) permission system. Invariably, users make setting changes that cause undesirable behavior with their calendar. A common symptom would be that suddenly no other users can find their calendar when searching for them and in turn can't subscribe to the calendar, even if they have the privileges to do that.

So, over the years I've developed a semi-effective process for debugging the calendar permissions from the backend.

  1. SSH to your calendar server
  2. cd to the calendar server /bin directory (for Luminis this is $CP_ROOT/products/SUNWics5/cal/bin)
  3. use the cscal utility to query the trouble user. ex ./cscal -v list jpseudo
  4. in the out put you get you'll see a line called 'aces' it will look something like:
    PLAIN TEXT
    CODE:
    1. aces=@@o^c^WDEIC^g;@@o^a^RSF^g;someuser^a^rsf^g;someuser^c^^g;anotheruser^a^rsf^g;anotheruser^c^wd^g;someoneelse^a^rsf^g;someoneelse^c^^g;@^a^^g;@^c^^g;someuser^p^r^g;anotheruser^p^r^g;someoneelse^p^r^g

  5. This is the access control list or ACL, it is obviously very hard to read. I use EditPlus to do a regular expression find (;) and replace (;\n) on the permissions to clean it up a bit.
  6. Now it reads:
    @@o^c^WDEIC^g;
    @@o^a^RSF^g;
    someuser^a^rsf^g;
    someuser^c^^g;
    anotheruser^a^rsf^g;
    anotheruser^c^wd^g;
    someoneelse^a^rsf^g;
    someoneelse^c^^g;
    @^a^^g;
    @^c^^g;
    someuser^p^r^g;
    anotheruser^p^r^g;
    someoneelse^p^r^g
  7. Now for a brief aside explaining these individual permissions called access control entries or ACEs...
    The ACE consists of four distinct elements separated by a caret (^):

    • Who - the user or type of user the permission applies to. Valid entries are:
      • username
      • @@o - all owners
      • @@p - primary owner
      • @@n - not an owner
      • @ - anyone
    • What - the thing being accessed. Valid entries here are:
      • c - calendar component, events or tasks
      • p - calendar properties such as name description owners and so forth
      • a - entire calendar including components and properties
    • How - what actions are permitted. Valid entries are:
      • r - read
      • w - write
      • d - delete
      • s - schedule or invite
      • f - free/busy or availability
      • e - accept or decline invitations
      • i - send invites for events on the calendar
      • c - cancel
    • Grant - this determines whether or not the ACE is a grant (g) or deny (d)

    Now that we have a clue what these ACEs actually represent, how do we go about finding a problem?

  8. If the issue is about a single user experiencing trouble with the jpseudo's calendar, then extract only the ACEs that apply to that user or apply globally. If instead it is a generalized issue, eliminate all user specific ACEs and only look at global ones. Either way you should be able to drastically reduce the number of rules you are looking at.
  9. If this issue is the example originally given where the user's calendar cannot be seen by any users, then we are looking for a permission like @^p^r^g; or something similar. If the problem is not readily apparent, it is often useful to compare another user who you know works against this problem user.
  10. Now it is time to modify the permissions. More specific entries should be ordered first, this allows them to override entries that come later.
  11. Once you have the entries ordered properly, the command you need to execute will look something like this:
    PLAIN TEXT
    CODE:
    1. ./cscal -a "@@o^c^WDEIC^g;@@o^a^RSF^g;someuser^a^rsf^g;someuser^c^^g;anotheruser^a^rsf^g;anotheruser^c^wd^g;someoneelse^a^rsf^g;someoneelse^c^^g;@^a^^g;@^c^^g;someuser^p^r^g;anotheruser^p^r^g;someoneelse^p^r^g;@^p^r^g" modify jpseudo

  12. Hopefully the change you made succeeds and life is good, if not, rinse and repeat!

ACE, aces, ACL, acls, application administration, calendar, iPlanet Calendar Server, Java, luminis, luminis platform, Sun, Sun Java Enterprise System Calendar Server, sungard, sungard higher education, SunOne Calendar Server, system administration

Tags: , , , , , , , , , , , , , , ,

Related:

Posted by zbtirrell | Filed Under Other Web, Technology Bits 

Summit 2006, A Great Success

June 14, 2006 | 7 Comments

In April Plymouth State University had a large showing at SunGard Higher Education Summit 2006. In fact, 13 PSU staff attended and gave 14 presentations.

While at Summit in Orlando it quickly became clear that PSU was a significant presence at the 7000+ attendee conference. A fairly substantial accomplishment for a small, public institution in northern New Hampshire. As a whole the conference was an amazing experience for many of us. We learned a lot, had a lot of fun, and felt a bit like rock stars for 3 days.

This was my third Summit attendance and the second time I was presenting. I personally had the pleasure of giving four presentations over the course of this conference. Two which were normal solo presentations, one less formal in the developers lounge, and a third with my colleagues Ken Kochien and Jen Hall. Being able to interact with this many people with great ideas, questions and general excitement was exhilarating.

New at Summit this year was the Luminis Developer's lounge which was primarily organized by Jon Wheat of Messiah College and founder of the Luminis Developer's Network. As far as I could tell, the lounge was a great success where many of us engaged in informal in depth discussions among each other and with some significant SunGard representatives including Vishal Goenka and Josh Horner. My time spent in the lounge was amazingly valuable and insightful.

I'm finally getting around to writing this article because I was notified today about the results of one of my two official solo presentations. Specifically in reference to the presentation titled Implement and Deploy Banner Channels. Apparently reviews on that presentation were exceptional, placing me in the top five Summit 2006 presentations. I left that presentation feeling good about it, but I was not aware it was that well received. As part of this recognition, I have been awarded a free 4 night stay in one of the Summit hotels for Summit 2007 in Las Vegas, Nevada on March 19-22.

I figure I can take a brief opportunity to have a big head and share a subset of the comment feedback I received from the session evaluations:

  • Best session yet. Did exactly what it said on the tin!
  • Excellent Speaker--good topic--interesting discussion.
  • Great presenter. Good info. Would have liked to see a few more technical examples. Good overview of deployment issues.
  • He answered all my questions and saved me valuable time in guess work
  • I found this presentation very helpful and found the speaker easy to identify with.
  • Presenter seem real knowledgeable on the topic and seemed to appeal to many of the techies in the room.
  • Totally relevent to where we are and what our issues are! Thanks!
  • Very interesting and informative -- hopefully this will help us dodge a few of these "gotchas". Thanks!
  • very knowledgable about issues that may be encountered, good advice on how to approach them for quicker resolution
  • very well done, zach. timely topic, nicely presented.
  • Zach held the best session I have been to all conference.
  • Zachary is the Best presenter of the conference! Great presence with his audience!
  • Zachary Tirrell was an excellent presenter, made the topic very interesting.

OK, so that is enough warm fuzzies to make me feel guilty about even posting it. Regardless, I have to say I would not have had any where near the success I have enjoyed with this if not for the support of the amazing MIS team I work with. Additionally, all aspects of ITS make any success we have with ventures like Luminis possible.

Summit 2006 rocked. From the great number of presentation we gave on varying topics, our Dan-athon through the Disney parks, the hilarious quotes extracted from our hugely entertaining group, to Laurianne's participation in the closing session improv, Summit 2006 was a huge success for Plymouth State, my colleagues, and me personally. Here's looking forward to Summit 2007 in Las Vegas!

conference, higher education, jon wheat, ldn, luminis, luminis developer's network, plymouth state university, presentation, sct, summit, sungard, sungard higher education, zachary tirrell

Tags: , , , , , , , , , , , ,

Related:

Posted by zbtirrell | Filed Under Technology Bits 

Leveraging CAS with Luminis

March 28, 2006 | 4 Comments

In SunGard Higher Education's Luminis product one of the many add-on packages you can install is CAS support. CAS is an acronym for Central Authentication Service. This WebISO solution is one of the most common in higher education. CAS was created originally by Yale, but ongoing support has been taken over by JA-SIG. When the CAS package is installed in Luminis, it makes Luminis act as a CAS authentication provider. Coupled with this built-in Luminis support, we use a CAS library called phpCAS that adds to the simplicity of deploying this within our environment.

Time and again, CAS has been proven an effective and simple way for us to quickly drop authentication ability into our homegrown PHP applications. Once a function was developed, this was easily reused across dozens of applications within a few short months. The ease of deployment made it easy to convince various developers to switch from custom authentication schemes.

In a PHP application on any of the servers in your environment you can do something like the following:

PLAIN TEXT
PHP:
  1. <?php
  2.  
  3. function casify()
  4. {
  5.     // import phpCAS lib (http://esup-phpcas.sourceforge.net/)
  6.     include_once($GLOBALS['INCLUDES'].'/cas/CAS.php');
  7.  
  8.     // initialize phpCAS
  9.     phpCAS::client(CAS_VERSION_2_0,'luminis.institution.edu',443,'cas/');
  10.  
  11.     // check CAS authentication
  12.     phpCAS::forceAuthentication();
  13.  
  14.     // at this step, the user has been authenticated by the CAS server
  15.     // and the user's login name can be read with phpCAS::getUser().
  16.  
  17.     return phpCAS::getUser();
  18. }
  19.  
  20.  
  21. $username = casify();
  22.  
  23. // nothing past the execution of casify() would occur without acquiring a valid CAS ticket
  24.  
  25. ?>

Note: the preceding code is an example. There is more sophisticated functionality that can be accomplished using CAS, this is merely a starting point for people interested in this WebISO technology.

cas, development, education, higher education, identity management, jasig, luminis, php, phpcas, security, sungard, sungard higher education, web development, yale, yalecas

Tags: , , , , , , , , , , , , , ,

Related:

Posted by zbtirrell | Filed Under Technology Bits