Each domain LDAP entry specifies access permissions in ACE's, which are defined in the domainAccess parameter of the icsExtendedDomainPrefs attribute. Two different ways to allow external domains to search this domain are:
The construction of ACI's is explained more fully in 1.8 Access Control for Calendar Server Version 6.3.
This can be done three ways:
Using ldapmodify, create the following ACE string in the domainAccess preference of the icsExtendedDomainPrefs:
@domain_being_allowed^a^lsfr^g
Form the ACE by specifying the domain allowed to search this domain, followed by sufficient permissions to allow the search.
Only one instance of the domainAccess property is allowed. If you change the value using ldapmodify, you must ensure that you do not inadvertently create a duplicate of this property.
Unlike how the system reads the ics.conf file sequentially, and honors the value of the attribute that it finds last, for LDAP entries, the system uses the first instance it finds. Since the LDAP search mechanism does not guarantee the entry contents will be served in any specific order, an older version of the property might be retrieved first and Calendar Server software wouldn't look any farther.
Using Delegated Administrator Utility command commadmin domain modify, add ACE strings specifying the domainAccess preference in icsExtendedDomainPrefs attribute.
For example, in a Schema version 2 environment, sesta.com allows searches from siroe.com:
commadmin domain modify -D admin -w adminpassword -X hostmachine_1 -d sesta.com -A +icsextendeddomainprefs:"domainAccess=@@d^a^slfrwd^g; @siroe.com^a^lsfrwd^g;anonymous^a^r^g;@^a^s^g"
Using Delegated Administrator Console, when creating or editing an organization's properties, you can add domains to the Allow Invitations From Users in These Organizations list.
This updates the domainAccess preference in the icsExtendedDomainPrefs attribute.
While you can specify the exact permissions given to the domains in the first two methods just listed, the last one, using the Delegated Administrator Console, does not allow the administrator as much control. The list of permissions is preset. The permissions given are: free-busy access, and event scheduling access. The user can't see event details unless the owner of that calendar has set permissions to allow all users to read it.
There are three ways to allow all external domains to search this domain:
Using ldapmodify, create the following ACE string in the domainAccess preference of the icsExtendedDomainPrefs:
@^a^slfr^g
Form the ACE by specifying that all domains have sufficient access to perform searches.
Using Delegated Administrator Utility command commadmin domain modify, add ACE strings specifying the domainAccess preference in icsExtendedDomainPrefs attribute.
For example, in a Schema version 2 environment, sesta.com allows searches by all domains:
commadmin domain modify -D admin -w adminpassword -X hostmachine_1 -d sesta.com -A +icsextendeddomainprefs:"domainAccess=@@d^a^slfrwd^g; anonymous^a^r^g;@^a^slfr^g"
The characters @@d refer to the domain of the primary owner.
Using Delegated Administrator Console, when creating or editing an organization's properties, you can add domains to the Allow Invitations From Users in These Organizations list.
This updates the domainAccess preference in the icsExtendedDomainPrefs attribute.
While you can specify the exact permissions given to the domains in the first two methods just listed, the last one, using the Delegated Administrator Console, does not allow the administrator as much control. The list of permissions is preset. The permissions given are: free-busy access, and event scheduling access. The user can't see event details unless the owner of that calendar has set permissions to allow all users to read it.