Topic: disable group

[akanarya]

I have been using sme server for a long time since ver 6, but this is my first time in the forum.
First of all thanks all for your precious efforts.

I want to disable a particular group I created (Collaboration>Groups) temporarily.
I want to enable it whenever I need it.
Is there a way to do this?
Thanks

[mmccarn]

So many questions... Some of which might point to a different or better way to do this...

Remove Group Members

Code: [Select]

# 1. Identify the group to act on
export GROUP=mygroup

# 2. Save the member list (so we can get it back later...)
db accounts setprop $GROUP MembersSave $(db accounts getprop $GROUP Members)

# 3. Clear the member list (that's two single quotes at the end...)
db accounts setprop $GROUP Members ''

# 4. Implement changes
signal-event group-modify $GROUP


Restore Group Members

Code: [Select]

# 1. Identify the group to act on
export GROUP=mygroup

# 2a. Verify that the members in the saved list still exist (see below)

# 2b. Restore Members (they must have been saved as shown above)
db accounts setprop $GROUP Members $(db accounts getprop $GROUP MembersSave)

# 3. Implement changes
signal-event group-modify $GROUP


I don't know what happens if you add a missing user to a group 'Members' value. Having non-existent users in that field does not cause errors when reconfiguring the group, but over time it might cause unknown problems.

This code is ugly and untested, but something like this could be used to verify that the users in "MembersSave" still exist before restoring them...

Alternate Option to Restore Only Existing Group Members

Code: [Select]

# set the group to act on
export GROUP=mygroup

# * get the saved member list from MembersSave (db accounts getprop $GROUP MembersSave)
# * convert it into a list (| tr "," "\n")
# * step through the list (| while read u; do ... done)
#    * test each entry (db accounts getprop $u Uid >/dev/null 2>&1)
#    * output existing entries followed by a comma (&& printf "$u,")
# * remove the extra comma from the end (| sed 's/,$//')
export MEMBERS=$(db accounts getprop $GROUP MembersSave |tr "," "\n" |while read u; do db accounts getprop $u Uid >/dev/null 2>&1  && printf "$u,"; done |sed 's/,$//')

# set Members for $GROUP using the filtered list from the previous command
db accounts setprop $GROUP Members $MEMBERS

# effect the changes
signal-event group-modify $GROUP


[akanarya]

Thanks for the comment.
It looks like there is no simple command to disable a group.
I may use your suggestion but I think usage of phpldapadmin interface can also be convinient to remove and add the members if it is the only way.

[Jean-Philippe Pialasse]

ldap has only a copy of the group content.
original is in the e-smith accounts flat fiel which is sync to both /etc/groups and ldap db
phpldapadmin will do nothing good there.
there are no way to disable a group.

[mmccarn]

... usage of phpldapadmin ...

If your objective is to edit membership in an LDAP group, maybe you could do this:
- Create a group 'groupmembers'
- Create a group 'group', whose only member is the group 'groupmembers'
- add users to 'groupmembers' (NOT 'group')

Now, to disable the group in phpldapadmin:
- delete 'groupmembers' from 'group'

And to re-enable:
- add 'groupmembers' back to 'group'

(Note: I don't use ldap on SME, so I have no idea if this concept will work...)

[Jean-Philippe Pialasse]

as explained earlier it will not work for SME maintained groups as it will be overwritten by e-smith accounts content.

[ReetP]

As JP said really don't use phpldapadmin unless

1. You are just looking at how LDAP works

2. You are testing something

3. You are suicidally inclined

It won't fix anything as it is essentially a copy of the esmith dbs and if you break that sync you are in big trouble.

As to the original question I'm not aware of an easy way to do this.

Can the OP advise why it is necessary?

[akanarya]

first, our sme server just serves as a mail server.
we dont use it for any file sharing etc purpose.

after a particular version, i dont remember which one, everyone@ group is removed from the distrubution.
After that I found a solution to add all members to a group (general@) for general anouncement messages that interest everyone.

Now there is a request from management that general anouncement messages should be delivered according to management
approval. Therefore I can easily disable/enable these messages after I got the approval from our management. This is the point.

[ReetP]

general anouncement messages that interest everyone.

A mailing list will be much better for this IMHO.

Now there is a request from management that general announcement messages should be delivered according to management
approval. Therefore I can easily disable/enable these messages after I got the approval from our management. This is the point.

Absolutely use a mailing list.

You can probably script a bit of code to read your users and add them to the list etc etc.

https://wiki.koozali.org/Ezmlm-www

Or drop phplist in an ibay.

[mmccarn]

A mailing list could be configured to allow new emails only from list managers, which sounds like what you want.

Any other solution is going to require you to do something manually to enable and disable the group.

If you have a script that creates the group and adds existing users, you could simply delete the group when its not in use and run the script to create it when it's needed.

In case you're a fan of rube goldberg:

- Create a gmail address, then configure 'rules' on that mailbox to forward anything from approved managers to your staff.  New Users must be added to the rule, and departed users must be deleted.

- Do something similar on the SME itself: create an actual user (instead of a group), then use mail rules to forward email from managers to active staff

- Teach your managers how to create groups in their address book, and have them manage who gets the emails.  Use "to:" the HR person and "bcc: the group from the address book

- Keep the active user list in a google sheet, and create a hyperlink in that sheet to start an email that bcc's all of the active users.  Share the sheet with managers.  (this requires google sheets instead of excel due to the 254 character limit on formula length in excel...). Here is an example google sheet showing what I mean: Google Sheet Mailing List Example

[Jean-Philippe Pialasse]

everyone is in fact an alias to shared group.  and this has never been removed.

you can only send email to this group from the inside of the infrastructure.  meaning sending from an email not managed by the server or from a tier smtp even if the from is an email managed by your server will be rejected. 

only task will be to keep it sync with your userbase.  this could be manual or scripted.
mailinglist could also allow you to send to external emails if needed

however your need is indeed toward a mailing list system.
choose your fit ezmlm mailman or phplist have each a contrib available making it easier for you. Indeed relying on forward function of the accounts option will be more and more buggy in the future due to dkim /dmarc/spf.


in theory, if you do want to prevent member of the group to send to shared this could be done at the dot qmail file level using an external program checking the sender.

Also, in theory, a plugin at the level of qpsmtpd could check for allowed sender per recipient. but such plugin does not exist yet.

final point, having the full story help, as you do not really want to disable the group but prevent the sending to the group, you could also add this group to the qpsmtpd badrcptto… and remove it on the need.  this could be done with a simple template custom fragment.
this might be the less demanding job of all the suggestions !

[akanarya]

Thanks for suggestions.
I see that there no simple way as we do in users section.
I dreamed that a basic "setprop" like command do the trick but no way i guess.
I am on vocation now, I will evaluate which one of your recommendations suits me more.
Infact I had given a try to mailman for maillist before asking, but I couldnt find it as a good way for our user portfolio.
I may try it again with ezmlm.