Sun Java System Messaging Server 6.3 Administration Guide

20.6 Shared Folder Tasks

This section describes the shared folder administrator tasks:

ProcedureTo Specify Sharing Attributes for Private Shared Folders

  1. Private shared folders are created by the user.

    Many mail clients support the creation of private shared folders. You can try this out onCommunications Express.

  2. Set the sharing parameters for private shared folders.

    The following configutil parameters are supported:

    store.privatesharedfolders.restrictanyone - If enabled (1), disallow regular users from setting the permission on private shared folders to anyone. Default: 0

    store.privatesharedfolders.restrictdomain - If enabled (1), disallow regular users sharing private folders to users outside of their domain. Default: 0

    store.privatesharedfolders.shareflags - If 0, flags cannot be shared across users. If 1, flags can be shared across users. Default: 0

    store.publicsharedfolders.user - Public shared folder owner's userid. Typically, this is simply public. Default: NULL (unset)

ProcedureTo Create a Public Shared Folder

Public folders must be created by system administrators because they require access to the LDAP database as well as the readership command.

  1. Create an LDAP user entry called public that will act as a container for all public folders (see 20.5 About Shared Folders).

    Example:


    dn: cn=public,ou=people,o=sesta.com,o=ISP
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: inetUser
    objectClass: ipUser
    objectClass: inetMailUser
    objectClass: inetLocalMailRecipient
    objectClass: nsManagedPerson
    objectClass: userPresenceProfile
    cn: public
    mail: public@sesta.com
    mailDeliveryOption: mailbox
    mailHost: manatee.siroe.com
    uid: public
    inetUserStatus: active
    mailUserStatus: active
    mailQuota: -1
    mailMsgQuota: 100
                      
  2. Create folders within the public account by using the mboxutil command line utility.

    For example, create a public folder called gardening:


    mboxutil -c user/public/gardening
  3. Set the name of the folder.

    Typically, this is public. Here's the command for setting the folder name to public:

    configutil -o store.publicsharedfolders.user —v public

  4. Specify the users and their access rights to the shared folder.

    Use the readership command to specify users and their access rights. For example the following command gives everyone at sesta.com lookup, read, and posting access to the public folder gardening:

    readership -s user/public/gardening anyone@sesta.com lrp

    For detailed instructions on how to user readership, see 20.6.2 To Set or Change a Shared Folder’s Access Control Rights

20.6.1 To Add Shared Folders with an Email Group

Shared folders are typically created by adding users to a shared folder list with Communications Express, or by creating public shared folders as described earlier. Sometimes, however, users may wish to add an email group (mail distribution list) to a shared folder list so that everyone in the group will have access to the shared folder. For example, a group called tennis@sesta.com has 25 members and the members have decided that they would like to create a shared folder to store all email going to this group address.

ProcedureTo Add an Email Group to a Shared Folder

Adding an email group to a shared folder requires System Administrator privileges.

  1. Create a folder. (If this has already been done, then skip this step. )

    Typically this should be done by one of the members of the group. If it’s not, you can create it for them using the following command:

    mboxutil -c user/gregk/gardening

    gregk is the uid of the shared folder owner. gardening is the name of the shared folder.

  2. Add the attribute-value pair aclGroupAddr group_name@domain to the user entry of every member who will have access to the group shared folder.

    Using the example above, add the following attribute-value pair to each user entry receiving access to the shared folder:

    aclGroupAddr: tennis@sesta.com

    Note that members will already have this attribute if the group was created dynamically using the memberURL attribute in the group entry. URL value for this attribute would look like this:


    memberURL: ldap:///o=sesta.com??sub?(&(aclGroupAddr=tennis@sesta.com)
    (objectclass=inetmailuser))

    (The sample entry line has been wrapped for typographic reasons. The actual entry should appear on one physical line.)

  3. Specify the group and the access rights to the shared folder.

    Use the readership command to do this. Using the example above the following command gives members of tennis@sesta.com lookup, read, and posting access to the public folder gardening:

    readership -s user/gregk/gardening tennis@sesta.com lrp

    For detailed instructions on how to user readership, see 20.6.2 To Set or Change a Shared Folder’s Access Control Rights

20.6.2 To Set or Change a Shared Folder’s Access Control Rights

Users can set or change the access control for a shared folder using the Communications Express interface. Administrators can set or change the access control for a shared folder using the readership command line utility. The command has the following form:

readership -s foldername identifier rights_chars

where foldername is the name of the public folder for which you are setting rights, identifier is the person or group to whom you are assigning the rights, and rights_chars are the rights you are assigning. For the meaning of each character, see Table 20–3.


Note –

anyone is a special identifier. The access rights for anyone apply to all users. Similarly, the access rights for anyone@domain apply to all users in the same domain.


Table 20–3 ACL Rights Characters

Character  

Description  

l

lookup– User can see and subscribe to the shared folder. (IMAP commands allowed: LIST and LSUB)

r

read– Users can read the shared folder. (IMAP commands allowed: SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY from the folder)

s

seen– Directs the system to keep seen information across sessions. (Set IMAP STORE SEEN flag)

w

write– Users can mark as read, and delete messages. (Set IMAP STORE flags, other than SEEN and DELETED)

i

insert– Users can copy and move email from one folder to another. (IMAP commands allowed: APPEND, COPY into folder)

p

post– Users can send mail to the shared folder email address. (No IMAP command needed) 

c

create– Users can create new sub-folders. (IMAP command allowed: CREATE)

d

delete– Users can delete entries from the shared folder. (IMAP commands allowed: EXPUNGE, set STORE DELETED flag)

a

administer– Users have administrative privileges. (IMAP command allowed: SETACL)

20.6.2.1 Examples

If you wish everyone at the sesta domain to have lookup, read and email marking (but not posting) access to the public folder called golftournament, issue the command as follows:

readership -s User/public/golftournament anyone@sesta lwr

To assign the same access to everyone on the message store issue the following:

readership -s User/public/golftournament anyone lwr

To assign lookup, read, email marking and posting rights to a group, issue the command as follows:

readership -s User/public/golftournament group=golf@sesta.com lwrp

If you want to assign administrator and posting rights for this folder to an individual, jdoe, issue the command as follows:

readership -s User/public/golftournament jdoe@sesta.com lwrpa

To deny an individual or group access to a public folder, prefix the userid with a dash. For example, to deny lookup, read and write rights to jsmith, issue the command as follows:

readership -s User/public/golftournament -jsmith@sesta.com lwr

To deny an individual or group an access right, prefix the ACL rights character with a dash. For example, to deny posting rights to jsmith, issue the command as follows:

readership -s User/public/golftournament jsmith@sesta.com -p


Note –

Posting messages to a shared folder using the uid+folder@domain address requires that the p (post) access right be used with the readership command. See 20.6.2 To Set or Change a Shared Folder’s Access Control Rights


20.6.3 To Enable or Disable Listing of Shared Folders

The server will or will not return shared folders when responding to a LIST command depending on the setting in the configuration option local.store.sharedfolders. Setting the option to off disables it. The setting is enabled by default (set to on).

SELECT and LSUB commands are not affected by this option. The LSUB command returns every subscribed folder, including shared folders. Users can SELECT the shared folders they own or are subscribed to.

20.6.4 To Set Up Distributed Shared Folders

Normally shared folders are only available to users on a particular message store. Messaging Server, however, allows you to create distributed shared folders that can be accessed across multiple message stores. That is, access rights to distributed shared folders can be granted to any users within the group of message stores. Note, however, that web mail clients (HTTP access clients like Messenger Express) do not support remote shared folders access. Users can list and subscribe to the folders, but they can’t view or alter the contents.

Distributed shared folders require the following:

The remote message stores (that is the message stores that do not hold the shared folder) must be configured as proxy servers by setting the configuration variables listed in Table 20–4.

Table 20–4 Variables for Configuring Distributed Shared Folders

Name  

Value  

Data Format  

local.service.proxy.serverlist

message store server list 

space-separated strings 

local.service.proxy.admin

default store admin login name 

string 

local.service.proxy.adminpass

default store admin password 

string 

local.service.proxy.admin.hostname

store admin login name for a specific host 

string 

local.service.proxy.adminpass.hostname

store admin password for a specific host 

string 

20.6.4.1 Setting Up Distributed Shared Folders—Example

Figure 20–3 shows a distributed folder example of three message store servers called StoreServer1, StoreServer2, and StoreServer3.

Figure 20–3 Distributed Shared Folders—Example

Graphic shows example of distributed shared folders.

These servers are connected to each other as peer proxy message stores by setting the variables shown in Table 20–4. Each server has a private shared folder—golf (owned by Han), tennis (owned by Kat), and hurling (owned by Luke). In addition there are two public shared folders called press_releases and Announcements. Users on any of the three servers can access any of these three shared folders. Figure 20–2shows Ed's shared folder list. Below is an example of the ACLs for each server in this configuration.


$ StoreServer1 :> imcheck -d lright.db
Ed: user/Han/golf 
Ian: user/Han/golf 
anyone: user/public/press_releases

            

$ StoreServer2 :> imcheck -d lright.db
Jan: user/Kat/tennis
Ann: user/Kat/tennis
anyone: user/public+Announcements user/public+press_releases

            

$ StoreServer3 :> imcheck -d lright.db
Tuck: user/Ian/hurling
Ed: user/Ian/hurling 
Jac: user/Ian/hurling 
anyone: user/public/Announcements

            

20.6.5 To Monitor and Maintain Shared Folder Data

The readership command line utility allows you to monitor and maintain shared folder data which is held in the folder.db, peruser.db, and lright.db files. folder.db has a record for each folder that holds a copy of the ACLs. The peruser.db has an entry per user and mailbox that lists the various flags settings and the last date the user accessed any folders. The lright.db has a list of all the users and the shared folders for which they have lookup rights.

The readership command line utility takes the following options:

Table 20–5 readership Options

Options  

Description  

-d days

Returns a report, per shared folder, of the number of users who have selected the folder within the specified days. 

-p months

Removes data from the peruser.db for those users who have not selected their shared folders within the specified months.

-l

List the data in lright.db.

-s folder_identifier_rights

Set access rights for the specified folder. This updates the lright.db as well as the folder.db.

Using the various options, you can perform the following functions:

20.6.5.1 To Monitor Shared Folder Usage

To find out how many users are actively accessing shared folders, issue the command:

readership -d days

where days is the number of days to check. Note that this option returns the number of active users, not a list of the active users.

Example: To find out the number of users who have selected shared folders within the last 30 days, issue the following command:

readership -d 30

20.6.5.2 To List Users and Their Shared Folders

To list users and the shared folders to which they have access, issue the command:

imcheck -d lright.db

Example output:

$ imcheck -d lright.db
group=lee-staff@siroe.com: user/user2/lee-staff
richb: user/golf user/user10/Drafts user/user2/lee-staff user/user10/Trash
han1: user/public+hurling@siroe.com user/golf
gregk: user/public+hurling@siroe.com user/heaving user/tennis

20.6.5.3 To Remove Inactive Users

If you want to remove inactive users (those who have not accessed shared folders in a specified time period) issue the command:

readership -p months

where months is the number of months to check for.

Example: Remove users who have not accessed shared folders for the past six months:

readership -p 6

20.6.5.4 To Set Access Rights

You can assign access rights to a new public folder, or change access rights on a current public folder.

For an example of how to set access rights with this command, see 20.6.2 To Set or Change a Shared Folder’s Access Control Rights