This information describes the tasks that you use to administer shared folders. See "Shared Folders Overview" for conceptual information.
Topics:
A private shared folder is a normal folder, created by users in the same way that they create other folders. A folder becomes "shared" when its owner grants access rights to other users or groups. Methods to manage folder access include:
Many IMAP clients
Convergence web client
Oracle Communications Messaging Server "readership" command, for mail administrators
Table 61-1 explains the msconfig options that pertain to private shared folders:
Table 61-1 Disabling Quota Enforcement
msconfig Option | Description | Default |
---|---|---|
store.privatesharedfolders.restrictanyone |
If enabled (1), disallows regular users from setting the permission on private shared folders to anyone. |
0 |
store.privatesharedfolders.restrictdomain |
If enabled (1), disallows regular users sharing private folders to users outside of their domain. |
0 |
store.privatesharedfolders.shareflags |
If disabled (0), users of a shared folder have their own set of flags (for example, seen, deleted, and so on) for messages in that folder. If enabled (1), a single set of flags is shared between all users of each shared folder. |
0 |
Public shared folders must be created by the mail administrator because they require access to the LDAP database as well as the "readership" and "mboxutil" commands.
Set the userid for Public shared folders. The store.publicsharedfolders.user option specifies the userid to act as a container for all public shared folders (see "Shared Folders Overview"). Typically, this is simply public. The default is NULL (unset).
msconfig set store.publicsharedfolders.user public
Create an LDAP entry for that user. The uid must match that specified by store.publicsharedfolders.user, for example:
dn: cn=public,ou=people,o=example.com,o=ISP objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetUser objectClass: ipUser objectClass: inetMailUser objectClass: inetLocalMailRecipient objectClass: nsManagedPerson objectClass: userPresenceProfile cn: public mail: public@example.com mailDeliveryOption: mailbox mailHost: manatee.example.org uid: public inetUserStatus: active mailUserStatus: active mailQuota: -1 mailMsgQuota: 100
Create folders within the public account by using the "mboxutil" command, for example:
mboxutil -c user/public/gardening
Use the "readership" command to grant rights to allow users to access the folder. For example, the following command gives everyone in the example.com domain lookup, read, and posting access to the public folder gardening:
readership -s user/public/gardening anyone@example.com lrp
The name anyone@domain is a special case to designate all users in the specified domain. It does not correspond to any user or group definition in LDAP. The name anyone without specifying a domain indicates anyone in any domain. The following command grants the user whose uid is kelly the same access rights as the owner of the folder:
readership -s user/public/gardening kelly@example.com lrswipcdan
For individual users, you only need to supply a domain name with hosted domains. Do not use a domain name if the user to whom access is being granted is in the default domain.
See the "readership" command for a list of the "ACL Rights Characters" and their meanings.
In the previous examples, "ACL Rights Characters" have been granted to individual users or to the special case names anyone or anyone@<domain>. You can also grant rights based on group membership. Members of such a group are identified by having the aclGroupAddr attribute. For more information on the aclGroupAddr see the Schema Reference.
For example, a group called tennis@example.com has 25 members and the members have decided that they would like to create a shared folder to store all email going to this group address and to allow members of the group to access that shared folder.
The mail administrator uses the "readership" command to grant group access rights. A group name is distinguished from individual user names by the prefix "group=".
Create the folder. In this example, the team decided to use a private shared folder. The user gregk could have created the folder by using a mail client, or the mail administrator could have created it by using the "mboxutil" command, for example:
mboxutil -c user/gregk/gardening
If the team were using a public shared folder, the mail administrator would have had to create it:
mboxutil -c user/public/gardening
Use the "readership" command to grant lookup, read, and posting access privileges to the group:
readership -s user/gregk/gardening group=tennis@example.com lrp
Assign group membership to the individual users. For the purpose of folder access control, group membership is determined by the aclGroupAddr attribute on the LDAP entry of the individual users. Add the attribute-value pair aclGroupAddr=<group-name> to the user entry of every member of the group, for example:
aclGroupAddr: tennis@example.com
To create group objects in LDAP, you could use the aclGroupAddr attribute as the basis for a dynamic group, for example:
memberURL: ldap:///o=example.com??sub?(&(aclGroupAddr=tennis@example.com)(objectclass=inetmailuser))
However, note that the LDAP group object with mail address tennis@example.com is not used for determining group membership for the purpose of shared folder access. What matters is that the "xxx" value in group=xxx on the readership command matches the value of the aclGroupAddr attribute on the user's LDAP object.
Also note that if you use the aclGroupAddr attribute as the criteria for a dynamic group, you should check to make sure that attribute is indexed properly for such lookups.
Users can set or change the access control for a shared folder by using Convergence. Administrators can set or change the access control for a shared folder using the "readership" command line utility. The command has the following form:
readership -s <foldername> <identifier> <rights_chars>
where foldername is the name of the folder for which you are setting rights, identifier is the person or group to whom you are assigning the rights, and rights_chars are the rights you are assigning. For the meaning of each character, see Table 61-3, "readership Options" for more information.
Note:
anyone is a special identifier. The access rights for anyone apply to all users. Similarly, the access rights for anyone@domain apply to all users in the same domain. For the identifier, only supply a domain name with hosted domains. Do not use a domain name if the folder is in the default domain.To assign everyone in the example domain to have lookup, read, and email marking (but not posting) access to the public folder called golftournament, type the following command:
readership -s user/public/golftournament anyone@example lwr
To assign the same access to everyone on the message store type the following command:
readership -s user/public/golftournament anyone lwr
To assign lookup, read, email marking, and posting rights to a group, type the following command:
readership -s user/public/golftournament group=golf@example.com lwrp
If you want to assign administrator and posting rights for this folder to an individual, jdoe, type the following command:
readership -s user/public/golftournament jdoe@example.com lwrpa
To deny an individual or group access to a public folder, prefix the userid with a dash. For example, to deny lookup, read, and write rights to jsmith, type the following command:
readership -s user/public/golftournament -jsmith@example.com lwr
To deny an individual or group an access right, prefix the ACL rights character with a dash. For example, to deny posting rights to jsmith, type the following command:
readership -s user/public/golftournament jsmith@example.com -p
To remove an individual or group access right setting from a folder, set it to an empty set. This is different from an ACL to deny access:
readership -s user/public/golftournament jsmith@example.com ""
Note:
Posting messages to a shared folder by using the uid+folder@domain address requires that the p (post) access right be used with the readership command. See "To Set or Change a Shared Folder's Access Control Rights."Use the store.sharedfolders option to enable to disable listing of shared folders when responding to an IMAP LIST command. Setting the option to 0 disables it. The setting is enabled by default (set to 1). SELECT and LSUB commands are not affected by this option. The LSUB command returns every subscribed folder, including shared folders. Users can SELECT the shared folders they own or are subscribed to.
Normally, shared folders are only available to users on a particular message store. Messaging Server, however, enables you to create distributed shared folders that can be accessed across multiple message stores. That is, access rights to distributed shared folders can be granted to any users within the group of message stores. However, web mail clients do not support remote shared folders access. Users can list and subscribe to the folders, but they cannot view or alter the contents.
Distributed shared folders require the following:
Every message store userid must be unique across the group of message stores.
The directory data across the deployment must be identical.
The remote message stores (that is the message stores that do not hold the shared folder) must be configured as proxy servers by setting the configuration variables listed in Table 61-2.
Table 61-2 Variables for Configuring Distributed Shared Folders
Name | Value | Data Format |
---|---|---|
base.proxyserverlist |
Message store server list to list shared folders from |
space-separated strings |
base.proxyadmin |
Default store admin login name |
string |
base.proxyadminpass |
Default store admin password |
string |
proxy:hostname.imapadmin |
Store admin login name for a specific host if different from base.proxyadmin |
string |
proxy:hostname.imapadminpass |
Store admin password for a specific host if different from base.proxyadminpass |
string |
The following figure shows a distributed folder example of three message store servers called StoreServer1, StoreServer2, and StoreServer3.
Figure 61-1 Distributed Shared Folders-Example
These servers are connected to each other as peer proxy message stores by setting the appropriate msconfig options. Each server has a private shared folder: golf (owned by Han), tennis (owned by Kat), and hurling (owned by Luke). In addition, there are two public shared folders called press_releases and Announcements. Users on any of the three servers can access any of these three shared folders.
The following example shows the ACLs for each server in this configuration.
$ StoreServer1 :> imcheck -d lright.db Ed: user/Han/golf Ian: user/Han/golf anyone: user/public/press_releases
$ StoreServer2 :> imcheck -d lright.db Jan: user/Kat/tennis Ann: user/Kat/tennis anyone: user/public+Announcements user/public+press_releases
$ StoreServer3 :> imcheck -d lright.db Tuck: user/Ian/hurling Ed: user/Ian/hurling Jac: user/Ian/hurling anyone: user/public/Announcements
The readership command-line utility enables you to monitor and maintain shared folder data which is held in the folder.db, peruser.db, and lright.db files. folder.db has a record for each folder that holds a copy of the ACLs. The peruser.db has an entry per user and mailbox that lists the various flags settings and the last date the user accessed any folders. The lright.db has a list of all the users and the shared folders for which they have lookup rights.
The readership command-line utility takes the following options:
Options | Description |
---|---|
-d days |
Returns a report, per shared folder, of the number of users who have selected the folder within the specified days. |
-p months |
Removes data from the peruser.db for those users who have not selected their shared folders within the specified months. |
-l |
List the data in lright.db. |
-sfolder_identifier_rights |
Sets access rights for the specified folder. This updates the lright.db as well as the folder.db. |
Using the various options, you can perform the following functions:
To find out how many users are actively accessing shared folders, use the following command:
readership -d <days>
where days is the number of days to check. Note that this option returns the number of active users, not a list of the active users.
Example: To find out the number of users who have selected shared folders within the last 30 days:
readership -d 30
To list users and the shared folders to which they have access, use the following command:
imcheck -d lright.db
Example output:
$ imcheck -d lright.db group=lee-staff@example.org: user/user2/lee-staff richb: user/golf user/user10/Drafts user/user2/lee-staff user/user10/Trash han1: user/public+hurling@example.org user/golf gregk: user/public+hurling@example.org user/heaving user/tennis
If you want to remove inactive users (those who have not accessed shared and other folders in a specified time period), use the following commands:
This command writes the inactive mailboxes to a file:
mboxutil -o [-w <file>] [-t <number of days>]
This command removes the mailboxes in a given file:
mboxutil -d -f <file>
Example: Remove users who have not accessed folders for the past six months (180 days) using a file named inactive_users:
mboxutil -o -w inactive_users -t 180 mboxutil -d -f inactive_users
You can assign access rights to a new public folder, or change access rights on a current public folder.
For an example of how to set access rights with this command, see "To Set or Change a Shared Folder's Access Control Rights."