Configure Calendar Server 7 to Use the davUniqueId Attribute

Posted by dabrain on Oracle Blogs See other posts from Oracle Blogs or by dabrain
Published on Wed, 17 Oct 2012 12:53:12 +0000 Indexed on 2012/10/17 17:11 UTC
Read the original article Hit count: 333

Filed under:

Starting with Calendar Server 7 Update 3 (Patch 08) we introduce a new attribute davUniqueId in the davEntity objectclass, to use as the unique identifier. 

The reason behind this is quite simple, the LDAP operational attribute nsUniqueId  has been chosen as the default value used for the unique identifier. It was discovered that this choice has a potential serious downside. The problem with using nsUniqueId is that if the LDAP entry for a user, group, or resource is deleted and recreated in LDAP, the new entry would receive a different nsUniqueId value from the Directory Server, causing a disconnect from the existing account in the calendar database. As a result, recreated users cannot access their existing calendars.


How To Configure Calendar Server to Use the davUniqueId Attribute?

Populate the davUniqueId to the ldap users. You can create a LDIF output file only or (-x option) directly run the ldapmodify from the populate-davuniqueid shell script.

# ./populate-davuniqueid -h localhost -p 389 -D "cn=Directory Manager" -w <passwd> -b "o=red" -O -o /tmp/out.ldif

The ldapmodify might failed like below, in that case the LDAP entry already have the 'daventity' objectclass, in those cases run populate-davuniqueid script without the -O option.

# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w <passwd> -c -f /tmp/out.ldif
modifying entry "uid=mparis,ou=People,o=vmdomain.tld,o=red"
ldapmodify: Type or value exists (20)

In this case the user 'mparis' already have the objectclass 'daventity', ldapmodify do not take care of this DN and just take the next DN (if you start ldapmodify with -c option otherwise it stop's completely)

dn: uid=mparis,ou=People,o=vmdomain.tld,o=red
changetype: modify
add: objectclass
objectclass: daventity
-
add: davuniqueid
davuniqueid: 01a2c501-af0411e1-809de373-18ff5c8d

Even run populate-davuniqueid without -O option or changing the outputfile to

dn: uid=mparis,ou=People,o=vmdomain.tld,o=red
changetype: modify
add: davuniqueid
davuniqueid: 01a2c501-af0411e1-809de373-18ff5c8d

The ldapmodify works fine now. The only issue I see here is you need verify which user might need the 'daventity' objectclass as well. On the other hand start without the objectclass and only add the objectclass for the users where you get 'Objectclass violation' report. That's indicate the objectclass is missing.

# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w <passwd> -c -f /tmp/out.ldif
modifying entry "uid=mparis,ou=People,o=vmdomain.tld,o=red"

Now it is time to change the configuration to use the davuniquid attribute

# ./davadmin config modify -o davcore.uriinfo.permanentuniqueid -v davuniqueid

It is also needed to modfiy the search filter to use davuniqueid instead of nsuniqueid

# ./davadmin config modify -o davcore.uriinfo.subjectattributes -v "cn davstore icsstatus mail mailalternateaddress davUniqueId  owner preferredlanguageuid objectclass ismemberof uniquemember memberurl mgrprfc822mailmember"

Afterward IWC Calendar works fine and my test user able to access all his old events.

© Oracle Blogs or respective owner

Related posts about /COMMS