Results 1 to 9 of 9

Thread: Delegating Admin Rights for some (not all) distribution lists

  1. #1
    tavvyd Guest

    Question Delegating Admin Rights for some (not all) distribution lists

    I am trying to give a select few of our users console access to add/remove members from certain distribution lists. Here are the steps I've taken:

    1) Check "Administrator" for the user. Save.
    2) Go to the Admin View tab and check Distribution List View. Save.

    If I then log in as that user (from another computer) it lets me into the console and I only see Distribution Lists in the left column and the list on the right is blank.

    3) Back in my admin account I hit the Configure Grants button in the toolbar, then hit Add and fill out the form:
    Target Type: dl
    Target Name: existing_dlist@domain.com
    Right Type: System Defined Right
    Right Name: listDistributionList
    and hit Add and Finish.

    Logging out and back in as the delegated admin it loads with error: "Server error encountered. Details:
    Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver"

    The only way to get things to work is to clear any grants to specific dlists and grant the user listDistributionList for the entire domain.

    Am I misunderstanding how this is supposed to work? Any help would be much appreciated!

    Also, according to the Zimbra NE Admin Guide 6.0.2: "Combo right is a right that contains other rights. Combo rights can be assigned to any target type. You can use combo right to grant multiple attribute rights quickly on targets."

    When I try to grant adminConsoleDLRights on a distribution list it gives me this error: "Failed to grant the ACL: invalid request: right adminConsoleDLRights cannot be granted on a dl entry. It can only be granted on target types: global domain"

    We are running 6.0.4

  2. #2
    Join Date
    May 2009
    Location
    Bremen, Germany
    Posts
    122
    Rep Power
    6

    Default

    I had the same problem.

    My solution:
    1. I create for every distribution list which should be manageable by delegated administrators a second dl with the prefix adm_. This dl holds the users which have administrative rights on the original dl.
    2. I sort out the rights that the adm_ dl needs to administer the original dl.
      • zimbraAdminConsoleUIComponents DLListView on original dl
      • addDistributionListMember on original dl
      • getDistributionListMembership on original dl
      • getDistributionListShareInfo on original dl
      • getDistributionList on original dl
      • listDistributionList on original dl
      • removeDistributionListMember on original dl
      • publishDistributionListShareInfo on original dl
      • set.dl.description on original dl
      • set.dl.zimbraNotes on original dl
      • set.dl.displayName on original dl
      • set.dl.zimbraDistributionListSendShareMessageFromA ddress on original dl
      • set.dl.zimbraDistributionListSendShareMessageToNew Members on original dl
      • listAccount on all accounts
    3. For convince, I created a script to add new dls. The script needs the dl name and the manager account name as arguments. Multiple managers are separated by a colon (":").
      Code:
      create_dl.sh test@example.com manager1@example.com:manager2@example.com
      Code:
      #/bin/bash
      # create tempfile
      tfile="/tmp/$(basename $0).$$.tmp"
      # get dl name from argument
      dl_name=$1
      # get manager(s) from argument
      manager=$2
      # set delimeter for manager
      IFS=":"
      # create manager array
      manager_array=($manager)
       
      # fill tempfile with zmprov commands
      # create dl
      echo cdl $dl_name > $tfile
      # create adm_ dl
      echo cdl adm_$dl_name >> $tfile
      # add DLListView to adm_ dl
      echo mdl adm_$dl_name zimbraAdminConsoleUIComponents DLListView >> $tfile
      # add manager(s) to adm_ dl
      echo adlm adm_$dl_name ${manager_array[@]} >> $tfile
      # set attributes for adm_ dl
      echo mdl adm_$dl_name zimbraHideInGal TRUE zimbraIsAdminGroup TRUE zimbraMailStatus disabled >> $tfile
      # add rights to adm_ dl
      echo grr dl $dl_name grp adm_$dl_name addDistributionListMember >> $tfile
      echo grr dl $dl_name grp adm_$dl_name getDistributionListMembership >> $tfile
      echo grr dl $dl_name grp adm_$dl_name getDistributionListShareInfo >> $tfile
      echo grr dl $dl_name grp adm_$dl_name getDistributionList >> $tfile
      echo grr dl $dl_name grp adm_$dl_name listDistributionList >> $tfile
      echo grr dl $dl_name grp adm_$dl_name removeDistributionListMember >> $tfile
      echo grr dl $dl_name grp adm_$dl_name publishDistributionListShareInfo >> $tfile
      echo grr dl $dl_name grp adm_$dl_name set.dl.description >> $tfile
      echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraNotes >> $tfile
      echo grr dl $dl_name grp adm_$dl_name set.dl.displayName >> $tfile
      echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraDistributionListSendShareMessageFromAddress >> $tfile
      echo grr dl $dl_name grp adm_$dl_name set.dl.zimbraDistributionListSendShareMessageToNewMembers >> $tfile
      echo grr global grp adm_$dl_name listAccount >> $tfile
      # set administrator attribute for manager(s)
      for i in ${manager_array[@]}; do
        echo ma $i zimbraIsDelegatedAdminAccount TRUE >> $tfile
      done
       
      # run zmprov with commands from tempfile
      zmprov < $tfile
      # delete tempfile
      rm $tfile
    4. The members of the adm_ dl can add new members, delete ..., but can't edit the AdminGroup, MailStatus an GAL flag, can't edit the listname, ACL, Admin View or manage the aliases for the original dl.


    Problems:
    • Delegated administrators are not able to find shares from a resource. The log says that the right adminLoginAs is needed. But it didn't work, maybe Bug 43918.
    • If you hide the ACL tab, every time you open the dl in the admin interface you get a popup Permission Denied.
    Last edited by jummo; 01-11-2010 at 02:31 AM. Reason: Typo

  3. #3
    tavvyd Guest

    Default

    Thanks jummo, but even if I run that script I get the same error when the delegated admin logs in:

    Server error encountered Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver

    Does anyone know what might be happening here?

  4. #4
    tavvyd Guest

    Default

    UPDATE: Good news for most, but bad news for us. Using a trial license I set up a test ZCS NE server and delegation works as expected.

    Thanks for your comments.

  5. #5
    Join Date
    Sep 2009
    Location
    Canberra, Australia
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by tavvyd View Post
    Thanks jummo, but even if I run that script I get the same error when the delegated admin logs in:

    Server error encountered Message: system failure: java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String Error code: service.FAILURE Method: SearchDirectoryRequest Details:soap:Receiver

    Does anyone know what might be happening here?
    Same issue. Whats the deal? We have network Edition.

  6. #6
    tavvyd Guest

    Default

    scohol, Out of curiosity, did you upgrade from 5.0.x or clean install to 6.0.x?

  7. #7
    Join Date
    May 2009
    Location
    Bremen, Germany
    Posts
    122
    Rep Power
    6

    Default

    I don't know why, but since the update to 6.0.5 this doesn't work anymore.

    Here is the error from mailbox.log

    Code:
    2010-03-18 17:35:29,195 INFO  [btpool0-23780://zimbra.example.com:7071/service/admin/soap/GetAllEffectiveRightsRequest] [name=john.doe@example.com;mid=29;ip=192.168.1.5;ua=ZimbraWebClient - FF3.0 (Linux);] soap - GetAllEffectiveRightsRequest
    2010-03-18 17:35:29,491 WARN  [btpool0-23780://zimbra.example.com:7071/service/admin/soap/GetAllEffectiveRightsRequest] [name=john.doe@example.com;mid=29;ip=192.168.1.5;ua=ZimbraWebClient - FF3.0 (Linux);] SoapEngine - handler exception
    java.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String
            at com.zimbra.cs.account.accesscontrol.RightChecker$Visitor.visit(RightChecker.java:1551)
            at com.zimbra.cs.account.ldap.LdapUtil.searchLdap(LdapUtil.java:630)
            at com.zimbra.cs.account.ldap.LdapUtil.searchLdapOnMaster(LdapUtil.java:596)
            at com.zimbra.cs.account.accesscontrol.RightChecker.getAllGroups(RightChecker.java:1565)
            at com.zimbra.cs.account.accesscontrol.RightChecker.getAllGroupMembers(RightChecker.java:1756)
            at com.zimbra.cs.account.accesscontrol.RightChecker.getAllEffectiveRights(RightChecker.java:1838)
            at com.zimbra.cs.account.accesscontrol.RightCommand.getAllEffectiveRights(RightCommand.java:912)
            at com.zimbra.cs.service.admin.GetAllEffectiveRights.handle(GetAllEffectiveRights.java:61)
            at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:419)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:273)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:157)
            at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:291)
            at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:212)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
            at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:181)                                    ┌──────┐
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)                                           │Paused│
            at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)                                 └──────┘
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
            at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:79)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
            at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
            at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
            at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
            at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
            at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
            at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
            at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
            at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
            at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
            at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
            at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
            at org.mortbay.jetty.Server.handle(Server.java:326)
            at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
            at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939)
            at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
            at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
            at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
            at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
            at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)

  8. #8
    Join Date
    Sep 2009
    Location
    Canberra, Australia
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by tavvyd View Post
    scohol, Out of curiosity, did you upgrade from 5.0.x or clean install to 6.0.x?
    Was Clean 6.0.3. Just new to the game of zimbra.

  9. #9
    Join Date
    Aug 2011
    Posts
    1
    Rep Power
    4

    Default

    The user needs "viewDistributionListAdminUI" rights and the list needs an ACL entry added for the user for "domainAdminDistributionListRights" to see anything in the right side of the admin console window when the delegated user logs in. I couldn't get the DL to show up any other way. Unfortunately, another DL showed up and I am examining why that is and will let you know when I find out. I may be able to lock down the rights on that DL to restrict it from that delegate's view. UPDATE: that extra DL is contained in the root DL so that is why it showed up - inherited permissions I suppose?

    -Michelle
    Last edited by mspaeth; 06-25-2012 at 05:53 PM.

Similar Threads

  1. Nested distribution lists
    By Britt in forum Administrators
    Replies: 6
    Last Post: 05-10-2013, 05:01 AM
  2. [SOLVED] Distribution Lists Import (Solved) and question
    By r8escjohn in forum Administrators
    Replies: 6
    Last Post: 10-26-2012, 05:30 AM
  3. Replies: 4
    Last Post: 07-18-2011, 09:08 AM
  4. Calendar Share Admin Rights
    By jars99 in forum Users
    Replies: 0
    Last Post: 08-08-2008, 03:13 PM
  5. attach/assign edit rights to distribution lists?
    By gettyless in forum Administrators
    Replies: 3
    Last Post: 09-26-2007, 10:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •