Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 01-07-2010, 12:46 PM
Junior Member
 
Posts: 6
Question Delegating Admin Rights for some (not all) distribution lists

I am trying to give a select few of our users console access to add/remove members from certain distribution lists. Here are the steps I've taken:

1) Check "Administrator" for the user. Save.
2) Go to the Admin View tab and check Distribution List View. Save.

If I then log in as that user (from another computer) it lets me into the console and I only see Distribution Lists in the left column and the list on the right is blank.

3) Back in my admin account I hit the Configure Grants button in the toolbar, then hit Add and fill out the form:
Target Type: dl
Target Name: existing_dlist@domain.com
Right Type: System Defined Right
Right Name: listDistributionList
and hit Add and Finish.

Logging out and back in as the delegated admin it loads with error: "Server error encountered. Details:
Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver"

The only way to get things to work is to clear any grants to specific dlists and grant the user listDistributionList for the entire domain.

Am I misunderstanding how this is supposed to work? Any help would be much appreciated!

Also, according to the Zimbra NE Admin Guide 6.0.2: "Combo right is a right that contains other rights. Combo rights can be assigned to any target type. You can use combo right to grant multiple attribute rights quickly on targets."

When I try to grant adminConsoleDLRights on a distribution list it gives me this error: "Failed to grant the ACL: invalid request: right adminConsoleDLRights cannot be granted on a dl entry. It can only be granted on target types: global domain"

We are running 6.0.4
Reply With Quote
  #2 (permalink)  
Old 01-11-2010, 01:28 AM
Special Member
 
Posts: 113
Default

I had the same problem.

My solution:
  1. I create for every distribution list which should be manageable by delegated administrators a second dl with the prefix adm_. This dl holds the users which have administrative rights on the original dl.
  2. I sort out the rights that the adm_ dl needs to administer the original dl.
    • zimbraAdminConsoleUIComponents DLListView on original dl
    • addDistributionListMember on original dl
    • getDistributionListMembership on original dl
    • getDistributionListShareInfo on original dl
    • getDistributionList on original dl
    • listDistributionList on original dl
    • removeDistributionListMember on original dl
    • publishDistributionListShareInfo on original dl
    • set.dl.description on original dl
    • set.dl.zimbraNotes on original dl
    • set.dl.displayName on original dl
    • set.dl.zimbraDistributionListSendShareMessageFromA ddress on original dl
    • set.dl.zimbraDistributionListSendShareMessageToNew Members on original dl
    • listAccount on all accounts
  3. For convince, I created a script to add new dls. The script needs the dl name and the manager account name as arguments. Multiple managers are separated by a colon (":").
    Code:
    create_dl.sh test@example.com manager1@example.com:manager2@example.com
    Code:
    #/bin/bash
    # create tempfile
    tfile="/tmp/$(basename $0).$$.tmp"
    # get dl name from argument
    dl_name=$1
    # get manager(s) from argument
    manager=$2
    # set delimeter for manager
    IFS=":"
    # create manager array
    manager_array=($manager)
     
    # fill tempfile with zmprov commands
    # create dl
    echo cdl $dl_name > $tfile
    # create adm_ dl
    echo cdl adm_$dl_name >> $tfile
    # add DLListView to adm_ dl
    echo mdl adm_$dl_name zimbraAdminConsoleUIComponents DLListView >> $tfile
    # add manager(s) to adm_ dl
    echo adlm adm_$dl_name ${manager_array[@]} >> $tfile
    # set attributes for adm_ dl
    echo mdl adm_$dl_name zimbraHideInGal TRUE zimbraIsAdminGroup TRUE zimbraMailStatus disabled >> $tfile
    # add rights to adm_ dl
    echo grr dl $dl_name grp adm_$dl_name addDistributionListMember >> $tfile
    echo grr dl $dl_name grp adm_$dl_name getDistributionListMembership >> $tfile
    echo grr dl $dl_name grp adm_$dl_name getDistributionListShareInfo >> $tfile
    echo grr dl $dl_name grp adm_$dl_name getDistributionList >> $tfile
    echo grr dl $dl_name grp adm_$dl_name listDistributionList >> $tfile
    echo grr dl $dl_name grp adm_$dl_name removeDistributionListMember >> $tfile
    echo grr dl $dl_name grp adm_$dl_name publishDistributionListShareInfo >> $tfile
    echo grr dl $dl_name grp adm_$dl_name set.dl.description >> $tfile
    echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraNotes >> $tfile
    echo grr dl $dl_name grp adm_$dl_name set.dl.displayName >> $tfile
    echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraDistributionListSendShareMessageFromAddress >> $tfile
    echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraDistributionListSendShareMessageToNewMembers >> $tfile
    echo grr global grp adm_$dl_name listAccount >> $tfile
    # set administrator attribute for manager(s)
    for i in ${manager_array[@]}; do
      echo ma $i zimbraIsDelegatedAdminAccount TRUE >> $tfile
    done
     
    # run zmprov with commands from tempfile
    zmprov < $tfile
    # delete tempfile
    rm $tfile
  4. The members of the adm_ dl can add new members, delete ..., but can't edit the AdminGroup, MailStatus an GAL flag, can't edit the listname, ACL, Admin View or manage the aliases for the original dl.

Problems:
  • Delegated administrators are not able to find shares from a resource. The log says that the right adminLoginAs is needed. But it didn't work, maybe Bug 43918.
  • If you hide the ACL tab, every time you open the dl in the admin interface you get a popup Permission Denied.

Last edited by jummo; 01-11-2010 at 01:31 AM.. Reason: Typo
Reply With Quote
  #3 (permalink)  
Old 01-14-2010, 01:11 PM
Junior Member
 
Posts: 6
Default

Thanks jummo, but even if I run that script I get the same error when the delegated admin logs in:

Server error encountered Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver

Does anyone know what might be happening here?
Reply With Quote
  #4 (permalink)  
Old 02-09-2010, 12:41 PM
Junior Member
 
Posts: 6
Default

UPDATE: Good news for most, but bad news for us. Using a trial license I set up a test ZCS NE server and delegation works as expected.

Thanks for your comments.
Reply With Quote
  #5 (permalink)  
Old 03-17-2010, 06:16 PM
Intermediate Member
 
Posts: 22
Default

Quote:
Originally Posted by tavvyd View Post
Thanks jummo, but even if I run that script I get the same error when the delegated admin logs in:

Server error encountered Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver

Does anyone know what might be happening here?
Same issue. Whats the deal? We have network Edition.
Reply With Quote
  #6 (permalink)  
Old 03-18-2010, 05:18 AM
Junior Member
 
Posts: 6
Default

scohol, Out of curiosity, did you upgrade from 5.0.x or clean install to 6.0.x?
Reply With Quote
  #7 (permalink)  
Old 03-18-2010, 09:39 AM
Special Member
 
Posts: 113
Default

I don't know why, but since the update to 6.0.5 this doesn't work anymore.

Here is the error from mailbox.log

Code:
2010-03-18 17:35:29,195 INFO  [btpool0-23780://zimbra.example.com:7071/service/admin/soap/GetAllEffectiveRightsRequest] [name=john.doe@example.com;mid=29;ip=192.168.1.5;ua=ZimbraWebClient - FF3.0 (Linux);] soap - GetAllEffectiveRightsRequest
2010-03-18 17:35:29,491 WARN  [btpool0-23780://zimbra.example.com:7071/service/admin/soap/GetAllEffectiveRightsRequest] [name=john.doe@example.com;mid=29;ip=192.168.1.5;ua=ZimbraWebClient - FF3.0 (Linux);] SoapEngine - handler exception
java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String
        at com.zimbra.cs.account.accesscontrol.RightChecker$Visitor.visit(RightChecker.java:1551)
        at com.zimbra.cs.account.ldap.LdapUtil.searchLdap(LdapUtil.java:630)
        at com.zimbra.cs.account.ldap.LdapUtil.searchLdapOnMaster(LdapUtil.java:596)
        at com.zimbra.cs.account.accesscontrol.RightChecker.getAllGroups(RightChecker.java:1565)
        at com.zimbra.cs.account.accesscontrol.RightChecker.getAllGroupMembers(RightChecker.java:1756)
        at com.zimbra.cs.account.accesscontrol.RightChecker.getAllEffectiveRights(RightChecker.java:1838)
        at com.zimbra.cs.account.accesscontrol.RightCommand.getAllEffectiveRights(RightCommand.java:912)
        at com.zimbra.cs.service.admin.GetAllEffectiveRights.handle(GetAllEffectiveRights.java:61)
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:419)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:273)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:157)
        at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:291)
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:212)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:181)                                    ┌──────┐
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)                                           │Paused│
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)                                 └──────┘
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
        at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:79)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
        at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
        at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
        at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Reply With Quote
  #8 (permalink)  
Old 03-18-2010, 03:35 PM
Intermediate Member
 
Posts: 22
Default

Quote:
Originally Posted by tavvyd View Post
scohol, Out of curiosity, did you upgrade from 5.0.x or clean install to 6.0.x?
Was Clean 6.0.3. Just new to the game of zimbra.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.