This section describes the shared folder administrator tasks:
Public folders must be created by system administrators because they require access to the LDAP database as well as the readership command.
Create an LDAP user entry called public that will act as a container for all public folders (see About Shared Folders).
Example:
dn: cn=public,ou=people,o=sesta.com,o=ISP objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetUser objectClass: ipUser objectClass: inetMailUser objectClass: inetLocalMailRecipient objectClass: nsManagedPerson objectClass: userPresenceProfile cn: public mail: public@sesta.com mailDeliveryOption: mailbox mailHost: manatee.siroe.com uid: public inetUserStatus: active mailUserStatus: active mailQuota: -1 mailMsgQuota: 100 |
Create folders within the public account by using the mboxutil command line utility.
For example, create a public folder called gardening:
mboxutil -c user/public/gardening |
Specify the users and their access rights to the shared folder.
Use the readership command to specify users and their access rights. For example the following command gives everyone at sesta.com lookup, read, and posting access to the public folder gardening:
readership -s user/public/gardening anyone@sesta.com lrp
For detailed instructions on how to user readership, see To Set or Change a Shared Folder’s Access Control Rights
Shared folders are typically created by adding users to a shared folder list with Communications Express, or by creating public shared folders as described earlier. Sometimes, however, users may wish to add an email group (mail distribution list) to a shared folder list so that everyone in the group will have access to the shared folder. For example, a group called tennis@sesta.com has 25 members and the members have decided that they would like to create a shared folder to store all email going to this group address.
Adding an email group to a shared folder requires System Administrator privileges.
Create a folder. (If this has already been done, then skip this step. )
Typically this should be done by one of the members of the group. If it’s not, you can create it for them using the following command:
mboxutil -c user/gregk/gardening
gregk is the uid of the shared folder owner. gardening is the name of the shared folder.
Add the attribute-value pair aclGroupAddr group_name@domain to the user entry of every member who will have access to the group shared folder.
Using the example above, add the following attribute-value pair to each user entry receiving access to the shared folder:
aclGroupAddr: tennis@sesta.com
Note that members will already have this attribute if the group was created dynamically using the memberURL attribute in the group entry. URL value for this attribute would look like this:
memberURL: ldap:///o=sesta.com??sub?(&(aclGroupAddr=tennis@sesta.com) (objectclass=inetmailuser)) |
(The sample entry line has been wrapped for typographic reasons. The actual entry should appear on one physical line.)
Specify the group and the access rights to the shared folder.
Use the readership command to do this. Using the example above the following command gives members of tennis@sesta.com lookup, read, and posting access to the public folder gardening:
readership -s user/gregk/tennis tennis@sesta.com lrp
For detailed instructions on how to user readership, see To Set or Change a Shared Folder’s Access Control Rights
Users can set or change the access control for a shared folder using the Communications Express interface. Administrators can set or change the access control for a shared folder using the readership command line utility. The command has the following form:
readership -s foldername identifier rights_chars
where foldername is the name of the public folder for which you are setting rights, identifier is the person or group to whom you are assigning the rights, and rights_chars are the rights you are assigning. For the meaning of each character, see Table 18–3.
anyone is a special identifier. The access rights for anyone apply to all users. Similarly, the access rights for anyone@domain apply to all users in the same domain.
Character |
Description |
---|---|
l |
lookup– User can see and subscribe to the shared folder. (IMAP commands allowed: LIST and LSUB) |
r |
read– Users can read the shared folder. (IMAP commands allowed: SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY from the folder) |
s |
seen– Directs the system to keep seen information across sessions. (Set IMAP STORE SEEN flag) |
w |
write– Users can mark as read, and delete messages. (Set IMAP STORE flags, other than SEEN and DELETED) |
i |
insert– Users can copy and move email from one folder to another. (IMAP commands allowed: APPEND, COPY into folder) |
p |
post– Users can send mail to the shared folder email address. (No IMAP command needed) |
c |
create– Users can create new sub-folders. (IMAP command allowed: CREATE) |
d |
delete– Users can delete entries from the shared folder. (IMAP commands allowed: EXPUNGE, set STORE DELETED flag) |
a |
administer– Users have administrative privileges. (IMAP command allowed: SETACL) |
If you wish everyone at the sesta domain to have lookup, read and email marking (but not posting) access to the public folder called golftournament, issue the command as follows:
readership -s User/public/golftournament anyone@sesta lwr
To assign the same access to everyone on the message store issue the following:
readership -s User/public/golftournament anyone lwr
To assign lookup, read, email marking and posting rights to a group, issue the command as follows:
readership -s User/public/golftournament group=golf@sesta.com lwrp
If you want to assign administrator and posting rights for this folder to an individual, jdoe, issue the command as follows:
readership -s User/public/golftournament jdoe@sesta.com lwrpa
To deny an individual or group access to a public folder, prefix the userid with a dash. For example, to deny lookup, read and write rights to jsmith, issue the command as follows:
readership -s User/public/golftournament -jsmith@sesta.com lwr
To deny an individual or group an access right, prefix the ACL rights character with a dash. For example, to deny posting rights to jsmith, issue the command as follows:
readership -s User/public/golftournament jsmith@sesta.com -p
Posting messages to a shared folder using the uid+folder@domain address requires that the p (post) access right be used with the readership command. See To Set or Change a Shared Folder’s Access Control Rights
The server will or will not return shared folders when responding to a LIST command depending on the setting in the configuration option local.store.sharedfolders. Setting the option to off disables it. The setting is enabled by default (set to on).
SELECT and LSUB commands are not affected by this option. The LSUB command returns every subscribed folder, including shared folders. Users can SELECT the shared folders they own or are subscribed to.
Normally shared folders are only available to users on a particular message store. Messaging Server, however, allows you to create distributed shared folders that can be accessed across multiple message stores. That is, access rights to distributed shared folders can be granted to any users within the group of message stores. Note, however, that web mail clients (HTTP access clients like Messenger Express) do not support remote shared folders access. Users can list and subscribe to the folders, but they can’t view or alter the contents.
Distributed shared folders require the following:
The message store userids must be unique across the group of message stores.
The directory data across the deployment must be identical.
The remote message stores (that is the message stores that do not hold the shared folder) must be configured as proxy servers by setting the configuration variables listed in Table 18–4.
Table 18–4 Variables for Configuring Distributed Shared Folders
Name |
Value |
Data Format |
---|---|---|
local.service.proxy.serverlist |
message store server list |
space-separated strings |
local.service.proxy.admin |
default store admin login name |
string |
local.service.proxy.adminpass |
default store admin password |
string |
local.service.proxy.admin.hostname |
store admin login name for a specific host |
string |
local.service.proxy.adminpass.hostname |
store admin password for a specific host |
string |
Figure 18–3 shows a disturbed folder example of three message store servers called StoreServer1, StoreServer2, and StoreServer3.
These servers are connected to each other as peer proxy message stores by setting the variables shown in Table 18–4. Each server has a private shared folder—golf (owned by Han), tennis (owned by Kat), and hurling (owned by Luke). In addition there are two public shared folders called press_releases and Announcements. Users on any of the three servers can access any of these three shared folders. Figure 18–2shows Ed's shared folder list. Below is an example of the ACLs for each server in this configuration.
$ StoreServer1 :> readership -l Ed: user/Han/golf Ian: user/Han/golf anyone: user/public/press_releases |
$ StoreServer2 :> readership -l Jan: user/Kat/tennis Ann: user/Kat/tennis anyone: user/public+Announcements user/public+press_releases |
$ StoreServer3 :> readership -l Tuck: user/Ian/hurling Ed: user/Ian/hurling Jac: user/Ian/hurling anyone: user/public/Announcements |
The readership command line utility allows you to monitor and maintain shared folder data which is held in the folder.db, peruser.db, and lright.db files. folder.db has a record for each folder that holds a copy of the ACLs. The peruser.db has an entry per user and mailbox that lists the various flags settings and the last date the user accessed any folders. The lright.db has a list of all the users and the shared folders for which they have lookup rights.
The readership command line utility takes the following options:
Table 18–5 readership Options
Options |
Description |
---|---|
-d days |
Returns a report, per shared folder, of the number of users who have selected the folder within the specified days. |
-p months |
Removes data from the peruser.db for those users who have not selected their shared folders within the specified months. |
-l |
List the data in lright.db. |
-s folder_identifier_rights |
Set access rights for the specified folder. This updates the lright.db as well as the folder.db. |
Using the various options, you can perform the following functions:
To find out how many users are actively accessing shared folders, issue the command:
readership -d days
where days is the number of days to check. Note that this option returns the number of active users, not a list of the active users.
Example: To find out the number of users who have selected shared folders within the last 30 days, issue the following command:
readership -d 30
To list users and the shared folders to which they have access, issue the command:
readership -l
Example output:
$ readership -l group=lee-staff@siroe.com: user/user2/lee-staff richb: user/golf user/user10/Drafts user/user2/lee-staff user/user10/Trash han1: user/public+hurling@siroe.com user/golf gregk: user/public+hurling@siroe.com user/heaving user/tennis
If you want to remove inactive users (those who have not accessed shared folders in a specified time period) issue the command:
readership -p months
where months is the number of months to check for.
Example: Remove users who have not accessed shared folders for the past six months:
readership -p 6
You can assign access rights to a new public folder, or change access rights on a current public folder.
For an example of how to set access rights with this command, see To Set or Change a Shared Folder’s Access Control Rights