Tiny Deathstars of Foulness

Configuring Calendar Server in Yosemite Server is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Yosemite Server, open the Server application and click on Calendar in the SERVICES section of the sidebar.


Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.


At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.


At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.


At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.


There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:

sudo serveradmin settings calendar

There are a number of settings for the Calendar service, including the following:

calendar:SSLCertificate = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.cert.pem"
calendar:EnableCalDAV = yes
calendar:Notifications:Services:APNS:CardDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/"
calendar:Notifications:Services:APNS:CardDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/"
calendar:Notifications:Services:APNS:CardDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/"
calendar:Notifications:Services:APNS:CalDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/"
calendar:Notifications:Services:APNS:CalDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/"
calendar:Notifications:Services:APNS:CalDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/"
calendar:Notifications:Services:APNS:Enabled = yes
calendar:SSLAuthorityChain = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.chain.pem"
calendar:DefaultLogLevel = "warn"
calendar:Authentication:Digest:Enabled = yes
calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes
calendar:Authentication:Kerberos:Enabled = yes
calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes
calendar:Authentication:Wiki:Enabled = yes
calendar:Authentication:Basic:Enabled = yes
calendar:Authentication:Basic:AllowedOverWireUnencrypted = no
calendar:ServerHostName = ""
calendar:Scheduling:iMIP:Sending:UseSSL = yes
calendar:Scheduling:iMIP:Sending:Server = ""
calendar:Scheduling:iMIP:Sending:Address = ""
calendar:Scheduling:iMIP:Sending:Username = "admin"
calendar:Scheduling:iMIP:Sending:Password = "Mitroae123"
calendar:Scheduling:iMIP:Sending:Port = 465
calendar:Scheduling:iMIP:Enabled = yes
calendar:Scheduling:iMIP:Receiving:UseSSL = yes
calendar:Scheduling:iMIP:Receiving:Server = ""
calendar:Scheduling:iMIP:Receiving:Type = "imap"
calendar:Scheduling:iMIP:Receiving:Username = "krypted"
calendar:Scheduling:iMIP:Receiving:Password = "Mitroae123"
calendar:Scheduling:iMIP:Receiving:Port = 993
calendar:DataRoot = "/Library/Server/Calendar and Contacts/Data"
calendar:EnableCardDAV = no
calendar:SSLPort = 8443
calendar:LogLevels = _empty_dictionary
calendar:DirectoryAddressBook:params:queryUserRecords = no
calendar:DirectoryAddressBook:params:queryPeopleRecords = no
calendar:SSLPrivateKey = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.key.pem"
calendar:EnableSSL = yes
calendar:RedirectHTTPToHTTPS = yes
calendar:EnableAPNS = yes
calendar:EnableSearchAddressBook = no
calendar:HTTPPort = 8008

One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:

sudo serveradmin settings calendar:HTTPPort = 8008


sudo serveradmin settings calendar:SSLPort = 8443

You can then start the service using the start option:

sudo serveradmin start calendar

Or to stop it:

sudo serveradmin stop calendar

Or to get the status:

sudo serveradmin fullstatus calendar

Full status indicates that the three services are running:

calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING"

Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen.


At the “Add an Account” screen, select Add CalDAV Account.


CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.


Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…


At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to.


Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.


Click on the Delegation tab to view any accounts you’ve been given access to.


Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.

Overall, the Calendar service in Yosemite Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , ,

The 10.7.2 to 10.7.3 update for Lion Server has introduced a few issues in some environments that I’ve seen. It just so happens that the update corrects a lot of behavior with Lion Server while also introducing new features, so it’s something you’re gonna’ need to do eventually. Therefore, before I update, I would strongly recommend backing up all of your services, your service data and Open Directory.

Once you’ve run the 10.7.3 update, there are a few things that I’ve seen happen. The first is that the web server won’t start. If this happens, reset the web server back to factory default:

serveradmin command web:command=restoreFactorySettings

Once it’s reset, you should be able to import any data that was backed up before and get things back to normal. The second is calendar data. On a few different systems I’ve seen users have to nuke iCal and then reimport data. To nuke and pave iCal, see this post: Once iCal Server has been restored to full working order (after the last step in that article) you can use psql to restore your data from the location of your backups (here called /backup/caldav.sql):

psql -U _postgres -d caldav -f /backup/caldav.sql

There’s also a script located in /usr/share/caldavd/lib/python/calendarserver/tools
called fix that can be used to scan and possibly fix any issues with the data itself. If that doesn’t not work though, you may be starting over. The script does not give root execute permissions by default and so you will need to chmod it to provide execute and then run it.

If you nuke CalDAV and you nuke OD and then restore them both, the GeneratedUIDs can be mismatched. Use the Directory Editor in the new Directory Utility to browse users and attach the GeneratedUID back to the correct entry in CalDAV. To locate all of the entries in CalDAV, run:

psql -U _postgres caldav -c “select * from calendar_home"

If Profile Manager won’t load it could be one of three issues (in the following order seemingly). The first is the web server, which the first command will fix. Another issue I’ve seen is that Open Directory gets a little messed up. The fix for this is to use Server Admin (not slapconfig) to burn OD down and set it back up. You can then promote replicas and finally restore the archive you did before upgrading the server. The third is to reset the Profile Manager database using

sudo /usr/share/devicemgr/backend/

After wiping the data, you can re-run the setup in Server app for the Profile Manager service to restore an empty Profile Manager instance to working order. You can restore data into the empty Profile Manager database using the same commands I showed earlier for CalDAV, just use devicemgrd instead.

Note: I am pretty sure you need sudo for most every command I use on this site, but more specifically you need it with this stuff. So sudo is assumed if not explicitly stated.

Finally, be on the lookout for custom designs in the Wiki interface. OS updates are known to change things, but more specifically when things are not documented they can easily change. Hacking the pages nested within /usr/share/collabd is basically not supported any more. Each OS update to 10.7 has broken some of the hacks we’ve done to collabd, making me wonder whether it’s a good idea any more…

Note2: I have had little issues running these updates in walled gardens. It’s production data that is the problem. It seems that most of the issues are data driven (the opposite of data driven design is not devops driven design).

March 6th, 2012

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , , , ,