Configuring Calendar Server for Connector for Microsoft Outlook

Configuring Shared Calendar LDAP Lookup

If Directory Server requires authentication for the Shared Calendar LDAP lookup then the service.wcap.userprefs.ldapproxyauth parameter must be set in the ics.conf file as follows:

Anonymous binding: service.wcap.userprefs.ldapproxyauth = "no"
Authenticated proxy binding: service.wcap.userprefs.ldapproxyauth = "yes"

If service.wcap.userprefs.ldapproxyauth is yes, set the appropriate LDAP ACI for the calmaster entry. For example, to set the calmaster ACI for proxy authentication for the sesta.com domain, use the ldapmodify tool as follows:

dn:  o=usergroup

changetype: modify

add: aci

aci: (targetattr="icscalendar || cn || givenName || sn || uid || mail")
(targetfilter=(|(objectClass=icscalendaruser)(objectclass=icscalendarresource)))
(version 3.0; acl "Allow calendar administrators to proxy -
product=ics,class=admin,num=2,version=1"; allow (proxy) groupdn =
"ldap:///cn=Calendar Administrators,ou=Groups,o=usergroup";)

For the domain basedn node, the following example shows the correct ACI:

dn:  o=sesta.com,o=usergroup

changetype: modify

add: aci

aci:(targetattr="icscalendar || cn || givenName || sn || uid || mail")
(targetfilter=(|(objectClass=icscalendaruser)(objectclass=icscalendarresource)))
(version 3.0; acl "Allow calendar users to read and search other users - 
product=ics,class=admin,num=3,version=1"; allow (search,read)
userdn = "ldap:///uid=*, ou=People, o=sesta.com, o=usergroup";)

If there is no domain, add this ACI to the root suffix itself by removing the o=sesta.com part on the dn: line.

The above ACI may pose a security issue if restricted user information is stored in certain attributes, for example, dn, givenName, sn, uid, or mail. To restrict the browsing of the directory to only people making the queries from a specific Calendar Server, change the above ACI to something like:

aci:(targetattr="icscalendar || cn || givenName || sn || uid || mail")
(targetfilter=(|(objectClass=icscalendaruser)(objectclass=icscalendarresource)))
(version 3.0; acl "Allow calendar users to read and search other users - 
product=ics,class=admin,num=3,version=1"; allow (search,read)
(ip="192.200.2.82,127.0.0.1,192.200.2.81")and
(userdn="ldap:///uid=*,ou=People,o=sesta.com,o=usergroup");)

The IP addresses listed in the above ACI example (192.200.2.82, 127.0.0.1, and 192.200.2.81) are the IP addresses from which the Calendar Server makes the queries.

The Calendar Server configuration program, csconfigurator.sh, adds these ACIs. If you are upgrading from Java Enterprise System 2003Q4, you must rerun the csconfigurator.sh configuration program to get these updated ACIs.