Ajcody-User-Management-Topics
- This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information. |
User Management Topics
Actual User Management Topics Homepage
Please see Ajcody-User-Management-Topics
Resetting A User's Account From CLI
Resetting A Password
Standard Method
SetPassword [sp] from zmprov:
zmprov sp joe@domain.com test321
Resetting Users Auth Session - Force Disconnect
Changing the Users Password To Expire Session
See Resetting A Password Via CLI or change it via the admin console.
- "Auth token should be invalidated if a user resets their password"
Prior To 605 - Use CLI To Change zimbraAuthTokenValidityValue To Expire The Session
Change the zimbraAuthTokenValidityValue to a small time value:
su - zimbra zmprov ma <accountname> zimbraAuthTokenValidityValue 1 <- Setting it to one minute. zmprov fc account <accountname>
This value gets stored in the auth token and compared on every request. Changing it will invalidate all outstanding auth tokens.
6.0.5+ You Have Admin Console Option
In the admin console, under the Manage Accounts window you can right click on the user name and choose "Expire Sessions".
- "Manually Invalidate Auth Token(s)"
User , Mailbox ID's, And Who Is What
ZimbraID [UserID] is system wide.
MailboxID is per server store.
To get the ZimbraID:
$ zmprov ga user@domain.com | grep -i zimbraid zimbraId: aeca260b-6faf-4cfe-b407-7673748aabf4 zimbraIdentityMaxNumEntries: 20
To get the MailboxID, get on the appropriate mailserver and:
zmprov gmi user@domain.com mailboxId: 3 quotaUsed: 251512
or globally:
/opt/zimbra/bin/mysql -e "use zimbra; select id from mailbox where account_id = 'UserID HERE including the leading 0'"
Other details can be found here:
http://wiki.zimbra.com/index.php?title=Account_mailbox_database_structure
Account & Domain Summary
Run zmaccts
Here's what it would return:
su - zimbra [zimbra@mail3 ~]$ zmaccts account status created last logon ------------------------------------ ----------- --------------- --------------- admin@mail3.internal.domain.com active 05/06/08 18:46 07/08/08 09:56 ajcody@mail3.internal.domain.com active 05/06/08 20:43 06/23/08 15:48 ajcody2@mail3.internal.domain.com active 05/28/08 11:48 06/30/08 17:44 forward@mail3.internal.domain.com active 05/06/08 21:06 05/29/08 17:24 ham.bidiob2mm@mail3.internal.domain.com active 05/06/08 18:47 never spam.rormmtcyy@mail3.internal.domain.com active 05/06/08 18:47 never wiki@mail3.internal.domain.com active 05/06/08 18:46 never account status created last logon ------------------------------------ ----------- --------------- --------------- secondary@secondary.internal.domain.com active 06/23/08 15:26 06/23/08 15:27 wiki@secondary.internal.domain.com active 06/23/08 15:25 never - domain summary - domain active closed locked maintenance total ----------------------- -------- -------- -------- ------------- -------- mail3.internal.domain 7 0 0 0 7 secondary.internal.domain 2 0 0 0 2
Last Logon comes from the variable zimbraLastLogonTimestamp . This is used to update the "Last Login Time" column in the admin web console as well. It also shows up with [ zmprov ga user@domain ]. Login's based upon session type would only be found in either audit.log or the mailbox.log files. It should have a reference to the user id and the session type for the login [ pop, imap, etc. ].
RFE To Expand zmaccts Output And Options
Please see the following RFE I made:
- "zmaccts to include more options"
Zmmailbox Stuff
RFE's And Bugs To Review
Please see these RFE's first:
- "Admin (zimbra) account to be able to setup resources for accounts (auto-acceptance)"
- http://bugzilla.zimbra.com/show_bug.cgi?id=25740
- Was marked a dup of the work being done for bug7473
- "Share management and discovery"
- "New share property that grants the user the ability to work on email but unable to delete or empty folders"
- http://bugzilla.zimbra.com/show_bug.cgi?id=31466
- In comment 4, I made an extensive suggestion on expanding the permission variables one could use.
- http://bugzilla.zimbra.com/show_bug.cgi?id=31466
Some other's to look at:
- "Expand permission share model"
- "Allow/disallow sharing to all authenticated users via user interface"
- "Calendar Share permission refinement - ability to accept/decline but NOT edit/remove"
- "Revoked view permissions not removed until after logout"
- "RFE - Ability for anyone (not just people with a share) to view some meeting details of resources"
- "After revoking calendar permissions, the web UI still shows the share still exists."
- "Cannot remove sharing permissions for mail folders"
- "Allow non-user "public" folders"
- "share ownership to disti-group -- not just end-user -- delegation (folder, calendar, doc/wiki, task, project)"
- "Global Admin control for Zimbra shared resources (and subscription) -- folders, calendar, address book, task, project, documents"
- "share roles - custom (editor / author) levels"
- "Notification of shared resources for distribution list members"
To See All Folders For A User
Do the following for the user:
[zimbra@mail3 ~]$ zmmailbox -z -m ajcody@DOMAIN gaf Id View Unread Msg Count Path ---------- ---- ---------- ---------- ---------- 1 conv 0 0 / 16 docu 0 2 /Briefcase 10 appo 0 1 /Calendar 14 mess 0 0 /Chats 7 cont 0 0 /Contacts 6 mess 0 0 /Drafts 13 cont 0 9 /Emailed Contacts 2 mess 0 11 /Inbox 4 mess 0 0 /Junk 344 mess 0 0 /Junk E-mail 12 wiki 0 0 /Notebook 302 appo 0 0 /Restored 5 mess 0 15 /Sent 420 mess 0 0 /Share 421 mess 0 0 /Share/Share1 422 mess 0 0 /Share/Share1/Share1-1 423 mess 0 0 /Share/Share2 424 mess 0 0 /Share/Share2/Share2-1 15 task 0 2 /Tasks 3 conv 0 0 /Trash
Do the following for the user [ I'm cutting some of the output to keep it short ]:
[zimbra@mail3 ~]$ zmmailbox -z -m ajcody@DOMAIN gaf -v { "id": "1", "name": "USER_ROOT", "path": "/", "parentId": "11", "flags": null, "color": "defaultColor", "unreadCount": 0, "messageCount": 0, "view": "conversation", "url": null, "effectivePermissions": null, "children": [ { #### CUT HERE #### { "id": "5", "name": "Sent", "path": "/Sent", "parentId": "1", "flags": null, "color": "defaultColor", "unreadCount": 0, "messageCount": 15, "view": "message", "url": null, "effectivePermissions": null }, { "id": "420", "name": "Share", "path": "/Share", "parentId": "1", "flags": "i", "color": "defaultColor", "unreadCount": 0, "messageCount": 0, "view": "message", "url": null, "effectivePermissions": null, "grants": [ { "type": "usr", "name": "ajcody2@mail3.internal.domain.com", "id": "88fd808e-a526-419d-9eda-ad50100d23b6", "permissions": "rwidx", "args": null }, { "type": "all", "name": null, "id": null, "permissions": "rwx", "args": null } ], "children": [ { "id": "421", "name": "Share1", "path": "/Share/Share1", "parentId": "420", "flags": "i", "color": "defaultColor", "unreadCount": 0, "messageCount": 0, "view": "message", "url": null, "effectivePermissions": null, "grants": [ { "type": "usr", "name": "ajcody2@mail3.internal.domain.com", "id": "88fd808e-a526-419d-9eda-ad50100d23b6", "permissions": "rwidx", "args": null }, { "type": "usr", "name": "admin@mail3.internal.domain.com", "id": "5ab13330-2e9b-4a45-9b30-de2c70858265", "permissions": "rwidx", "args": null } ], "children": [ { "id": "422", "name": "Share1-1", "path": "/Share/Share1/Share1-1", "parentId": "421", "flags": null, "color": "defaultColor", "unreadCount": 0, "messageCount": 0, "view": "message", "url": null, "effectivePermissions": null } ] }, { "id": "423", "name": "Share2", "path": "/Share/Share2", "parentId": "420", "flags": null, "color": "defaultColor", "unreadCount": 0, "messageCount": 0, "view": "message", "url": null, "effectivePermissions": null, "children": [ { "id": "424", "name": "Share2-1", "path": "/Share/Share2/Share2-1", "parentId": "423", "flags": null, "color": "defaultColor", "unreadCount": 0, "messageCount": 0, "view": "message", "url": null, "effectivePermissions": null } ### CUT HERE ### ] }
RFE I filed for zmmailbox to have options for this and "recursive".
- "zmmailbox folder should have option to remove ALL shares & recursive option"
Here's a script I wrote. Remove the echo statements to actually run the commands.
#!/bin/bash USER="ajcody@mail3.internal.domain.com" SHARE="/Shared" GETPERM="zmmailbox -z -m $USER gfg $SHARE" MODPERM="zmmailbox -z -m $USER mfg $SHARE" DUMBPASS="34lkoso" NEWPERM=none $GETPERM | egrep -i 'all|guest|public|accoun|domain|group' | gawk '{print $2 " " $3}' | while read SHAREPERM do TYPE=`echo $SHAREPERM|awk '{print $1}'` DISPLAY=`echo $SHAREPERM|awk '{print $2}'` case $TYPE in accoun) echo $MODPERM account $DISPLAY $NEWPERM ;; guest) echo $MODPERM $TYPE $DISPLAY $DUMBPASS $NEWPERM ;; all) echo $MODPERM $TYPE $NEWPERM ;; *) echo $MODPERM $SHAREPERM $NEWPERM ;; esac done
Ouput of an example:
[zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.domain.com gfg /Shared Permissions Type Display ----------- ------ ------- r all r guest ajcody@domain.com r accoun admin@mail3.internal.domain.com r group mydl@mail3.internal.domain.com r domain mail3.internal.domain.com [zimbra@mail3 ~]$ /tmp/remove-share.sh zmmailbox -z -m ajcody@mail3.internal.domain.com mfg /Shared all none zmmailbox -z -m ajcody@mail3.internal.domain.com mfg /Shared guest ajcody@domain.com none zmmailbox -z -m ajcody@mail3.internal.domain.com mfg /Shared account admin@mail3.internal.domain.com none zmmailbox -z -m ajcody@mail3.internal.domain.com mfg /Shared group mydl@mail3.internal.domain.com none zmmailbox -z -m ajcody@mail3.internal.domain.com mfg /Shared domain mail3.internal.domain.com none
I then removed the echo statements:
[zimbra@mail3 ~]$ vi /tmp/remove-share.sh [zimbra@mail3 ~]$ /tmp/remove-share.sh [zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.domain.com gfg /Shared Permissions Type Display ----------- ------ ------- [zimbra@mail3 ~]$
- I've yet to test these against all items (resources) listed in bug 25740 and work as expected.
To see current perms
zmmailbox -z -m faxfinder@example.com gfg /Inbox
To modify perms:
- r = read
- w = write
- i = insert
- d = delete
- x = accept/decline invites
- a = administer
zmmailbox -z -m faxfinder@example.com mfg /Inbox account user@example.com rwidx
To confirm perms are set:
zmmailbox -z -m faxfinder@example.com gfg /Inbox
To mount "folder" into a user account that was given permission:
zmmailbox -z -m user@example.com cm --view message "/Incoming_Faxes" faxfinder@example.com /Inbox
To confirm folder is mounted:
zmmailbox -z -m user@example.com gaf
Additions notes/options see:
zmmailbox help folder
For mfg it shows it can take the below as a target:
- account {name}
- group {name} *This could be a DL?*
- domain {name}
- all
- public
- guest
Scripting note to do this with multiple users:
- zmmailbox cm could use the zmprov gaa to provide a list of all accounts, this would include system & archive (if exist) accounts though.
How To Turn Off Sharing
You can enable / disable sharing from admin console:
- Admin console --> class of service --> select the CoS (eg default) --> features --> general features --> check/uncheck 'Sharing' option
Alternatively, this can be achieved by having the following CoS attribute either 'TRUE' or 'FALSE', from command line: zimbraFeatureSharingEnabled
Search For Messages And Then Delete Them
Here's some example to grab the message id's from a search and then put them in a variable to use for the delete command.
Other reference: King0770-Notes#Removing_Messages_with_Zmmailbox_based_on_the_Subject
First - Default Search Returns Only 25 Results
From zmmailbox [help search] & zmmailboxsearch
--limit (optional) -l Sets the limit for the number of results returned. The default is 25.
Example Search With To Field
[zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "To: Adam" num: 4, more: false Id Type From Subject Date ---- ---- -------------------- -------------------------------------------------- -------------- 1. 269 mess Adam Re: 8-7-08 11:37 AM to both outside accounts 08/07/08 11:57 2. 268 mess Adam Re: 8-7-08 11:37 AM to both outside accounts 08/07/08 11:39 3. 266 mess Adam Re: 8-7-08 11:37 AM to both outside accounts 08/07/08 11:38 4. 263 mess Adam Re: test on 8-7-08 to zimbra account 08/07/08 11:37 [zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "To: Adam" |awk '{ if (NR!=1) {print}}'| grep mess | awk '{ print $2 "," }' | tr -d '\n' 269,268,266,263, [zimbra@mail3 ~]$ message=`zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "To: Adam" |awk '{ if (NR!=1) {print}}'| grep mess | awk '{ print $2 "," }' | tr -d '\n'` [zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com dm `echo $message` [zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "To: Adam" num: 0, more: false
Example Search With From Field
[zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "From: Adam" num: 8, more: false Id Type From Subject Date ---- ---- -------------------- -------------------------------------------------- -------------- 1. 464 mess Adam test 3 10/02/08 11:43 2. 463 mess Adam test 2 10/02/08 11:43 3. 462 mess Adam test 1 10/02/08 11:43 4. 461 mess Adam test 09/29/08 16:18 5. 460 mess Adam test for mailbox log 09/29/08 16:17 6. 265 mess Adam 8-7-08 11:37 AM to both outside accounts 08/07/08 11:38 7. 261 mess Adam test on 8-7-08 to zimbra account 08/07/08 11:36 8. 257 mess Adam test from zimbra on 8-7-08 08/07/08 11:27 [zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "From: Adam" |awk '{ if (NR!=1) {print}}'| grep mess | awk '{ print $2 "," }' | tr -d '\n' 464,463,462,461,460,265,261,257, [zimbra@mail3 ~]$ message=`zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "From: Adam" |awk '{ if (NR!=1) {print}}'| grep mess | awk '{ print $2 "," }' | tr -d '\n'` [zimbra@mail3 ~]$ echo $message 464,463,462,461,460,265,261,257, [zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com dm `echo $message` [zimbra@mail3 ~]$ zmmailbox -z -m ajcody@mail3.internal.DOMAIN.com s -t message "From: Adam" num: 0, more: false [zimbra@mail3 ~]$
Export & Import Of Users Data In TGZ Format
Please see Ajcody-Migration-Notes#ZCS_User_to_Another_ZCS_Server_-_With_Rest_.26_TGZ
Seeing What & Where Of A Message ID
If your need to figure out what the actual email/message is from a logging event.
For example, log shows:
2009-03-03 22:04:58,969 INFO [btpool0-5532] [name=USER@DOMAIN.com;mid=8;ip=10.0.0.1;ua=ZimbraWebClient - IE6 (Win)/5.0.11_GA_2695.UBUNTU8_64;] mailop - moving Message (id=10955) to Folder Trash (id=3)
To see the details of the message, do the following:
zmmailbox -z -m USER@DOMAIN gm 10955 Id: 10955 Conversation-Id: 11155 Folder: /Trash Subject: FW: How are you doing? From: User External <USER@DOMAIN.com> To: <USER@DOMAIN.com> ...etc...
Managing Legal Requests for Information
Description:
- The ZCS legal intercept feature is used to obtain copies of email messages that are sent, received, or saved as drafts from targeted accounts and send these message to a designated “shadow” email address. Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.
Please see:
Persona, Identities, Send As, Send On Behalf Of Issues
CLI Commands To Manage Persona, Identities, External Account
The following should provide you with the necessary commands to manage these user configurations:
zmprov help command| egrep -i 'data|identity' createDataSource(cds) {name@domain} {ds-type} {ds-name} [attr1 value1 [attr2 value2...]] createIdentity(cid) {name@domain} {identity-name} [attr1 value1 [attr2 value2...]] deleteDataSource(dds) {name@domain|id} {ds-name|ds-id} deleteIdentity(did) {name@domain|id} {identity-name} getDataSources(gds) {name@domain|id} [arg1 [arg2...]] modifyDataSource(mds) {name@domain|id} {ds-name|ds-id} [attr1 value1 [attr2 value2...]] modifyIdentity(mid) {name@domain|id} {identity-name} [attr1 value1 [attr2 value2...]]
Bugs And RFE's To Look At
- "support sendAs right on server (as opposed to on-behalf-of)"
- http://bugzilla.zimbra.com/show_bug.cgi?id=22819
- "Composer should allow user to send message as self if replying on-behalf-of"
- "Implement "sendAs" rights for user accounts"
- http://bugzilla.zimbra.com/show_bug.cgi?id=22819
- "send on behalf of for delegate access for ZWC"
- "save copy of send-as message to sent-as user's Sent folder"
- "reply to message in shared subfolder doesn't follow typical on behalf of behavior"
Persona Setup With Send As Rights Rather Than On Behalf Of
- This was tested against ZCS 6.0.8p1 .
- First, created a test user account:
- ajcody@rr608.zimbra.DOMAIN.com
- In the admin web console, under the users preferences tab :
- Sending Mail > checked : "Allow sending email from any address"
- Note, this could be setup in a COS as well and then assign the users you want to that COS
- Sending Mail > checked : "Allow sending email from any address"
- In the admin web console, under the users preferences tab :
- ajcody@rr608.zimbra.DOMAIN.com
- If your only using a DL for the mail traffic, you would:
- Create a new DL :
- persona-dl@rr608.zimbra.DOMAIN.com
- checked "Can receive email"
- Added a user/s to the DL:
- ajcody@rr608.zimbra.DOMAIN.com
- persona-dl@rr608.zimbra.DOMAIN.com
- Create a new DL :
- Now, once that is done we can setup the persona for our "test user" - ajcody. Login as testuser
- Create a Folder called "Persona DL" and then a filter rule to move all emails with persona-dl@rr608.zimbra.DOMAIN.com to the "Persona DL" folder.
- Under the users perferences, Mail > Accounts > Add Persona button:
- Persona Name : Persona DL
- From : Persona DL # personal-dl@rr608.zimbra.DOMAIN.com
- Reply-To : Persona DL # personal-dl@rr608.zimbra.DOMAIN.com
- Use this persona:
- check "when replying or forwarding messages sent to: Persona DL # personal-dl@rr608.zimbra.DOMAIN.com
- check "when replying or forwarding messages in folder(s) : Personal DL
- Persona Name : Persona DL
- Under the users perferences, Mail > Accounts > Add Persona button:
- Create a Folder called "Persona DL" and then a filter rule to move all emails with persona-dl@rr608.zimbra.DOMAIN.com to the "Persona DL" folder.
- This was tested against ZCS 6.0.8p1 .
- First, created a test user account:
- ajcody@rr608.zimbra.DOMAIN.com
- In the admin web console, under the users preferences tab :
- Sending Mail > checked : "Allow sending email from any address"
- Note, this could be setup in a COS as well and then assign the users you want to that COS
- Sending Mail > checked : "Allow sending email from any address"
- In the admin web console, under the users preferences tab :
- ajcody@rr608.zimbra.DOMAIN.com
- If I was only using a "shared mailbox" for the mail traffic, I would:
- First create a DL that will have the user accounts you want to share this 'new' mailbox [Inbox]:
- Create a new DL:
- persona-share@rr608.zimbra.DOMAIN.com
- checked "Can receive email"
- Added a user to the DL:
- ajcody@rr608.zimbra.DOMAIN.com
- persona-share@rr608.zimbra.DOMAIN.com
- Create a new DL:
- First create a DL that will have the user accounts you want to share this 'new' mailbox [Inbox]:
- The create a new account/mailbox that others will share:
- persona-source@rr608.zimbra.DOMAIN.com
- From the 'admin console', do "View Mail" on the new account
- Share the Inbox to the DL : persona-share@rr608.zimbra.DOMAIN.com w/ Manager or Admin Rights
- From the 'admin console', do "View Mail" on the new account
- persona-source@rr608.zimbra.DOMAIN.com
- Log back into the 'test user' acocunt - ajcody@rr608.zimbra.DOMAIN.com
- Accept the share and confirm you see the "Inbox" from the "persona-source" account.
- Then, under the users perferences, Mail > Accounts > Add Persona button::
- Persona Name : Persona Source
- From : Persona Source # persona-source@rr608.zimbra.DOMAIN.com
- Reply-To : Persona Source # persona-source@rr608.zimbra.DOMAIN.com
- Use this persona:
- check "when replying or forwarding messages sent to: persona-source@rr608.zimbra.DOMAIN.com
- check "when replying or forwarding messages in folder(s) : Persona Source's Inbox
- Persona Name : Persona Source
- Then, under the users perferences, Mail > Accounts > Add Persona button::
- Accept the share and confirm you see the "Inbox" from the "persona-source" account.
Sieve Rules
Administrating Rules For Users - CLI
Please see King0770-Notes-Sieve_Rules_By_Proxy