Delegating Admin Rights for some (not all) distribution lists

[tavvyd]

I am trying to give a select few of our users console access to add/remove members from certain distribution lists. Here are the steps I've taken:

1) Check "Administrator" for the user. Save.
2) Go to the Admin View tab and check Distribution List View. Save.

If I then log in as that user (from another computer) it lets me into the console and I only see Distribution Lists in the left column and the list on the right is blank.

3) Back in my admin account I hit the Configure Grants button in the toolbar, then hit Add and fill out the form:
Target Type: dl
Target Name: existing_dlist@domain.com
Right Type: System Defined Right
Right Name: listDistributionList
and hit Add and Finish.

Logging out and back in as the delegated admin it loads with error: "Server error encountered. Details:
Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver"

The only way to get things to work is to clear any grants to specific dlists and grant the user listDistributionList for the entire domain.

Am I misunderstanding how this is supposed to work? Any help would be much appreciated!

Also, according to the Zimbra NE Admin Guide 6.0.2: "Combo right is a right that contains other rights. Combo rights can be assigned to any target type. You can use combo right to grant multiple attribute rights quickly on targets."

When I try to grant adminConsoleDLRights on a distribution list it gives me this error: "Failed to grant the ACL: invalid request: right adminConsoleDLRights cannot be granted on a dl entry. It can only be granted on target types: global domain"

We are running 6.0.4

[jummo]

I had the same problem.

My solution:

1. I create for every distribution list which should be manageable by delegated administrators a second dl with the prefix adm_. This dl holds the users which have administrative rights on the original dl.
2. I sort out the rights that the adm_ dl needs to administer the original dl.
   
   • zimbraAdminConsoleUIComponents DLListView on original dl
   • addDistributionListMember on original dl
   • getDistributionListMembership on original dl
   • getDistributionListShareInfo on original dl
   • getDistributionList on original dl
   • listDistributionList on original dl
   • removeDistributionListMember on original dl
   • publishDistributionListShareInfo on original dl
   • set.dl.description on original dl
   • set.dl.zimbraNotes on original dl
   • set.dl.displayName on original dl
   • set.dl.zimbraDistributionListSendShareMessageFromA ddress on original dl
   • set.dl.zimbraDistributionListSendShareMessageToNew Members on original dl
   • listAccount on all accounts
3. For convince, I created a script to add new dls. The script needs the dl name and the manager account name as arguments. Multiple managers are separated by a colon (":").
   
   Code:

   create_dl.sh test@example.com manager1@example.com:manager2@example.com

   Code:

   #/bin/bash
   # create tempfile
   tfile="/tmp/$(basename $0).$$.tmp"
   # get dl name from argument
   dl_name=$1
   # get manager(s) from argument
   manager=$2
   # set delimeter for manager
   IFS=":"
   # create manager array
   manager_array=($manager)
    
   # fill tempfile with zmprov commands
   # create dl
   echo cdl $dl_name > $tfile
   # create adm_ dl
   echo cdl adm_$dl_name >> $tfile
   # add DLListView to adm_ dl
   echo mdl adm_$dl_name zimbraAdminConsoleUIComponents DLListView >> $tfile
   # add manager(s) to adm_ dl
   echo adlm adm_$dl_name ${manager_array[@]} >> $tfile
   # set attributes for adm_ dl
   echo mdl adm_$dl_name zimbraHideInGal TRUE zimbraIsAdminGroup TRUE zimbraMailStatus disabled >> $tfile
   # add rights to adm_ dl
   echo grr dl $dl_name grp adm_$dl_name addDistributionListMember >> $tfile
   echo grr dl $dl_name grp adm_$dl_name getDistributionListMembership >> $tfile
   echo grr dl $dl_name grp adm_$dl_name getDistributionListShareInfo >> $tfile
   echo grr dl $dl_name grp adm_$dl_name getDistributionList >> $tfile
   echo grr dl $dl_name grp adm_$dl_name listDistributionList >> $tfile
   echo grr dl $dl_name grp adm_$dl_name removeDistributionListMember >> $tfile
   echo grr dl $dl_name grp adm_$dl_name publishDistributionListShareInfo >> $tfile
   echo grr dl $dl_name grp adm_$dl_name set.dl.description >> $tfile
   echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraNotes >> $tfile
   echo grr dl $dl_name grp adm_$dl_name set.dl.displayName >> $tfile
   echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraDistributionListSendShareMessageFromAddress >> $tfile
   echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraDistributionListSendShareMessageToNewMembers >> $tfile
   echo grr global grp adm_$dl_name listAccount >> $tfile
   # set administrator attribute for manager(s)
   for i in ${manager_array[@]}; do
     echo ma $i zimbraIsDelegatedAdminAccount TRUE >> $tfile
   done
    
   # run zmprov with commands from tempfile
   zmprov < $tfile
   # delete tempfile
   rm $tfile

4. The members of the adm_ dl can add new members, delete ..., but can't edit the AdminGroup, MailStatus an GAL flag, can't edit the listname, ACL, Admin View or manage the aliases for the original dl.

Problems:

• Delegated administrators are not able to find shares from a resource. The log says that the right adminLoginAs is needed. But it didn't work, maybe Bug 43918.
• If you hide the ACL tab, every time you open the dl in the admin interface you get a popup Permission Denied.

[tavvyd]

Thanks jummo, but even if I run that script I get the same error when the delegated admin logs in:

Server error encountered Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver

Does anyone know what might be happening here?

[tavvyd]

UPDATE: Good news for most, but bad news for us. Using a trial license I set up a test ZCS NE server and delegation works as expected.

Thanks for your comments.

[scohol]

Thanks jummo, but even if I run that script I get the same error when the delegated admin logs in:

Server error encountered Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver

Does anyone know what might be happening here?

Same issue. Whats the deal? We have network Edition.

[tavvyd]

scohol, Out of curiosity, did you upgrade from 5.0.x or clean install to 6.0.x?

[jummo]

I don't know why, but since the update to 6.0.5 this doesn't work anymore.

Here is the error from mailbox.log

Code:

2010-03-18 17:35:29,195 INFO  [btpool0-23780://zimbra.example.com:7071/service/admin/soap/GetAllEffectiveRightsRequest] [name=john.doe@example.com;mid=29;ip=192.168.1.5;ua=ZimbraWebClient - FF3.0 (Linux);] soap - GetAllEffectiveRightsRequest
2010-03-18 17:35:29,491 WARN  [btpool0-23780://zimbra.example.com:7071/service/admin/soap/GetAllEffectiveRightsRequest] [name=john.doe@example.com;mid=29;ip=192.168.1.5;ua=ZimbraWebClient - FF3.0 (Linux);] SoapEngine - handler exception
java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String
        at com.zimbra.cs.account.accesscontrol.RightChecker$Visitor.visit(RightChecker.java:1551)
        at com.zimbra.cs.account.ldap.LdapUtil.searchLdap(LdapUtil.java:630)
        at com.zimbra.cs.account.ldap.LdapUtil.searchLdapOnMaster(LdapUtil.java:596)
        at com.zimbra.cs.account.accesscontrol.RightChecker.getAllGroups(RightChecker.java:1565)
        at com.zimbra.cs.account.accesscontrol.RightChecker.getAllGroupMembers(RightChecker.java:1756)
        at com.zimbra.cs.account.accesscontrol.RightChecker.getAllEffectiveRights(RightChecker.java:1838)
        at com.zimbra.cs.account.accesscontrol.RightCommand.getAllEffectiveRights(RightCommand.java:912)
        at com.zimbra.cs.service.admin.GetAllEffectiveRights.handle(GetAllEffectiveRights.java:61)
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:419)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:273)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:157)
        at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:291)
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:212)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:181)                                    ┌──────┐
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)                                           │Paused│
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)                                 └──────┘
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
        at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:79)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
        at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
        at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
        at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)

[scohol]

scohol, Out of curiosity, did you upgrade from 5.0.x or clean install to 6.0.x?

Was Clean 6.0.3. Just new to the game of zimbra.

[mspaeth]

The user needs "viewDistributionListAdminUI" rights and the list needs an ACL entry added for the user for "domainAdminDistributionListRights" to see anything in the right side of the admin console window when the delegated user logs in. I couldn't get the DL to show up any other way. Unfortunately, another DL showed up and I am examining why that is and will let you know when I find out. I may be able to lock down the rights on that DL to restrict it from that delegate's view. UPDATE: that extra DL is contained in the root DL so that is why it showed up - inherited permissions I suppose?

-Michelle