This chapter contains conceptual information and instructions on how to administer domains in your Calendar Server deployment.
This chapter contains the following sections about administering multiple domains:
There are two ways to administer Calendar Server domains.
Use one of the two following set of tools:
Delegated Administrator Console or Utility (for Schema version 2 environments).
Delegated Administrator is a separately installable component in the Java Enterprise System installer. For more information on the Utility, see the Sun Java System Communications Services 6 2005Q4 Delegated Administrator Guide. For more information on the Console, use the Delegated Administrator Console online help.
Calendar Server Utilities: csdomain and csattribute (for Schema version 1 environments.)
Installed with Calendar Server. You can add or delete attributes with csdomain, but there is no modify command. Use csattribute to modify the value of an existing attribute. In addition, should the need arise, use ldapmodify to add or delete object classes in domains created with csdomain.
For information about csdomain and csattribute, see Appendix D, Calendar Server Command-Line Utilities Reference.
For information about particular object classes and attributes, see theSun Java System Communications Services 6 2005Q4 Schema Reference.
For an overview of multiple domains and other introductory material, see Chapter 10, Setting Up a Multiple Domain Calendar Server 6.3 Environment.
Calendar Server does not support using the Access Manager Console for domain administration.
This section contains conceptual information and instructions for adding domains to your Calendar Server deployment. You can use either schema with multiple domains. However, if you have the choice, use Schema version 2 to take advantage of the superior tool set.
This section contains the following topics:
Calendar Server software has multiple domains enabled by default. Do not change the value of the following ics.confparameter: service.virtualdomain.support="yes".
Once you have completed the preparation work described in Chapter 10, Setting Up a Multiple Domain Calendar Server 6.3 Environment, you can add new domains.
Each domain has a set of attributes and preferences that you can set. These attributes are part of the icsCalendarDomain object class. The attributes include preferences such as access rights, access control lists (ACLs), domain searches, access rights for domain searches, user status, and proxy logins.
This section contains instructions on how to add a domain in Schema version 2 mode.
You can use either the Delegated Administrator Console or Utility:
Console — Use the Create New Organization wizard on the Organization List page.
For more information, see the Delegated Administrator Console online help.
Utility — Use the commadmin domain create command.
For example, to create the domain sesta.com, issue the following command:
commadmin domain create -D calmaster -d sesta.com -w calmasterpassword -S cal -B backend.sesta.com
For information about the Delegated Administrator Utility, see the Sun Java System Communications Services 6 2005Q4 Delegated Administrator Guide.
This section contains a simplified sample instruction for using the csdomain utility.
Use csdomain create when creating a domain in Schema version 1. For example, to create west.sesta.com, use the following command.
csdomain create west.sesta.com
For instructions on how to configure for multiple domains, see Chapter 10, Setting Up a Multiple Domain Calendar Server 6.3 Environment.
This section contains the instructions for enabling cross domain searches.
This section covers the two tasks you must do to enable cross domain searches:
13.3.1 Adding Names of Domains Allowed to Search This Domain in the LDAP entry for each of the domains allowed to search this domain.
13.3.2 Adding Names of Domains to be Searched by This Domain when users in this domain send invitations to events.
This can be done using either of the following tools: ldapmodify (for either Schema mode), or Delegated Administrator Console or Utility (for Schema version 2).
Each domain LDAP entry specifies access permissions in ACE's, which are defined in the domainAccess parameter of the icsExtendedDomainPrefs attribute. Two different ways to allow external domains to search this domain are:
The construction of ACI's is explained more fully in 1.8 Access Control for Calendar Server Version 6.3.
This can be done three ways:
Using ldapmodify, create the following ACE string in the domainAccess preference of the icsExtendedDomainPrefs:
@domain_being_allowed^a^lsfr^g
Form the ACE by specifying the domain allowed to search this domain, followed by sufficient permissions to allow the search.
Only one instance of the domainAccess property is allowed. If you change the value using ldapmodify, you must ensure that you do not inadvertently create a duplicate of this property.
Unlike how the system reads the ics.conf file sequentially, and honors the value of the attribute that it finds last, for LDAP entries, the system uses the first instance it finds. Since the LDAP search mechanism does not guarantee the entry contents will be served in any specific order, an older version of the property might be retrieved first and Calendar Server software wouldn't look any farther.
Using Delegated Administrator Utility command commadmin domain modify, add ACE strings specifying the domainAccess preference in icsExtendedDomainPrefs attribute.
For example, in a Schema version 2 environment, sesta.com allows searches from siroe.com:
commadmin domain modify -D admin -w adminpassword -X hostmachine_1 -d sesta.com -A +icsextendeddomainprefs:"domainAccess=@@d^a^slfrwd^g; @siroe.com^a^lsfrwd^g;anonymous^a^r^g;@^a^s^g"
Using Delegated Administrator Console, when creating or editing an organization's properties, you can add domains to the Allow Invitations From Users in These Organizations list.
This updates the domainAccess preference in the icsExtendedDomainPrefs attribute.
While you can specify the exact permissions given to the domains in the first two methods just listed, the last one, using the Delegated Administrator Console, does not allow the administrator as much control. The list of permissions is preset. The permissions given are: free-busy access, and event scheduling access. The user can't see event details unless the owner of that calendar has set permissions to allow all users to read it.
There are three ways to allow all external domains to search this domain:
Using ldapmodify, create the following ACE string in the domainAccess preference of the icsExtendedDomainPrefs:
@^a^slfr^g
Form the ACE by specifying that all domains have sufficient access to perform searches.
Using Delegated Administrator Utility command commadmin domain modify, add ACE strings specifying the domainAccess preference in icsExtendedDomainPrefs attribute.
For example, in a Schema version 2 environment, sesta.com allows searches by all domains:
commadmin domain modify -D admin -w adminpassword -X hostmachine_1 -d sesta.com -A +icsextendeddomainprefs:"domainAccess=@@d^a^slfrwd^g; anonymous^a^r^g;@^a^slfr^g"
The characters @@d refer to the domain of the primary owner.
Using Delegated Administrator Console, when creating or editing an organization's properties, you can add domains to the Allow Invitations From Users in These Organizations list.
This updates the domainAccess preference in the icsExtendedDomainPrefs attribute.
While you can specify the exact permissions given to the domains in the first two methods just listed, the last one, using the Delegated Administrator Console, does not allow the administrator as much control. The list of permissions is preset. The permissions given are: free-busy access, and event scheduling access. The user can't see event details unless the owner of that calendar has set permissions to allow all users to read it.
This section contains instructions for adding names of domains to be searched.
There are three ways to do add external domains to be searched by this domain:
Using ldapmodify, add one instance of icsDomainNames for each external domain that can be searched by users in this domain.
For example, sesta.com searches in both siroe.com and example.com when performing cross domain searches. Use ldapmodify (for either Schema version 1 or Schema version 2) to create the following LDIF:
dn: dc=sesta, dc=com, o=internet changetype: modify add: icsDomainNames icsDomainNames:siroe.com icsDomainNames:example.com
Using Delegated Administrator Utility command commadmin domain modify, specify the option -A to add names of domains to be searched.
For example:
commadmin domain modify -D admin -w adminpassword -X hostmachine_1 -d sesta.com -A +icsDomainNames:siroe.com -A +icsDomainNames:example.com
Using Delegated Administrator Console, when creating or editing an organization's properties, you can add domains to the Invite Calendars in These Organizations list.
This adds icsDomainNames attributes to the domain LDAP entry. Add one attribute for each external domain to be searched when users in this domain send invitations to an event.
For more information, see the Delegated Administrator Console online help.