martin: doc/architecture client_server.sgml, 1.8, 1.9 concept.sgml, 1.9, 1.10 server.sgml, 1.4, 1.5

cvs at intevation.de cvs at intevation.de
Wed Mar 17 14:07:52 CET 2004


Author: martin

Update of /kolabrepository/doc/architecture
In directory doto:/tmp/cvs-serv22958

Modified Files:
	client_server.sgml concept.sgml server.sgml 
Log Message:
Martin K.: Added more stuff and fiexed errors from importing the backup


Index: client_server.sgml
===================================================================
RCS file: /kolabrepository/doc/architecture/client_server.sgml,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- client_server.sgml	17 Mar 2004 09:57:04 -0000	1.8
+++ client_server.sgml	17 Mar 2004 13:07:49 -0000	1.9
@@ -231,17 +231,32 @@
 freebusy list is regenerated and published.
 </para>
 <para>
-For resource and group accounts it is possble to configure the behaviour in case of a conflict. We only implement the following cases.
-This behaviour is configurable in the LDAP directory.
-<orderedlist>
+For resource and group accounts it is possble to configure the behaviour in case of a conflict. We only implement the following foure 
+cases for any automatic account. This behaviour is configurable in the LDAP directory.
+
+<itemizedlist mark='bullet'>
 <listitem>
-always accept (no conflict detection)
+<para>
+ignore conflicts, accept if sender is in allow list, queue if sender is not in allow list
+</para>
 </listitem>
 <listitem>
-accept if no conflict, reject immediately otherwise
+<para>
+ignore conflicts, accept if sender is in allow list, reject if sender is not in allow list
+</para>
 </listitem>
-</orderedlist>
-
+<listitem>
+<para>
+detect conflict and reject or accept immediately if no conflict
+</para>
+<para>
+detect conflict and queue or accept immediately if no conflict
+</para>
+</listitem>
+</itemizedlist>
+</para>
+<para>
+The sender is always informed via traditional accept and reject invitation messages equivalent to normal non automatic invitations.
 </para>
 <para>
 The adminstrating access to the automatic account is controlled analogous to all other accounts with access control lists. This means access
@@ -252,20 +267,22 @@
 The implementation of the webclient and the automatic handling of invitations is handled in such a way that this web component can but is not required to run on the primary Kolab server. From the point of view of the Kolab server the automatic account is implemented with just another Kolab client. This allows for clean and secure seperation while keeping scalability.
 </para>
 <para>
-An automatic booking of a resource or the publishing of a meeting to a group is simply done by adding the corresponding account to the list of invitations e.g. <Audi.A4 at kolab.erfrakon.de> or <marketing at kolab.erfrakon.de>.
+An automatic booking of a resource or the publishing of a meeting to a group is simply done by adding the corresponding account to the list of invitations e.g. <email>Audi.A4 at kolab.erfrakon.de</email> or <email>marketing at kolab.erfrakon.de</email>.
 </para>
 </sect1>
 
 <sect1><title>Extended Freebusy lists</title>
-<para>A server process based on the webclient php code extracts all information from the calendar folder of
+<para>A server process based on the webclient extracts all information from the calendar folder of
 predefined accounts and aggregates them in extended freebusy list on demand. Extended freebusy lists are syntactically equivalent to 
 traditional freebusy list but on one hand aggregate the calendar data of multiple accounts and on the other hand prepend the subject of the individual entries with the username followed with the original subject while honouring the private flag.
+The webclient talks to the Cyrus IMAP server with the credentials of the user.
 </para>
 <para>
-The individual account must allow the extended freebusy list user (called <extended.freebusy at kolab.erfrakon.de>) access to its calendar folder.
+The individual account must allow the extended freebusy list user access to its calendar folder otherwise the calendar folder of this user is simply skipped.
 </para>
 <para>
-The server process generates a html gantt with a row for each individual user and an aggregated row with the summed up freebusy times.
+The server process generates a html gantt chart with a row for each individual user and an aggregated row with the summed up freebusy times.
+We reuse the gantt code from the Taskjuggler project.
 </para>
 </sect1>
 
@@ -292,24 +309,29 @@
 </sect1>
 
 <sect1><title> Management of Shared Resources </title>
+
 <para>The Kolab server assigns a dedicated IMAP identity to every shared 
 resource. These identities do not
 differ technically from real users. Reserving a car or a room for example is 
-just arranging
-a meeting with the shared resource's assigned IMAP user.
-Two modes of operation are supported:</para>
-<para> manual mode: a real user monitors a shared resources mailbox
-in 
+just arranging a meeting with the shared resource's assigned IMAP user.
+Two modes of operation are supported:
+</para>
 
-addition to
-his own mailbox and accepts or declines events on behalf of the shared resource 
-</para></listitem>
+<orderedlist>
+<listitem>
+<para> 
+manual mode: a real user monitors a shared resources mailbox
+in addition to his own mailbox and accepts or declines events on behalf of the shared resource.
+</para>
+</listitem>
 <listitem><para> automatic mode: via Sieve scripting the resource mailbox is 
 monitored;
 the scripting takes care of automatically publishing it's free-busy list and 
 accepts or declines
-events on the basis of availability of the resource </para></listitem>
+events on the basis of availability of the resource 
+</para></listitem>
 </orderedlist>
+
 </sect1>
 
 <sect1><title>Access Control and Multiple Identities</title>
@@ -321,22 +343,32 @@
 named users or groups. In addition the user may use local distribution lists or 
 central distribution lists instead of plain users as the entities to grant access permissions.
 </para>
+
 <para>
-<orderedlist>
-Local distribution list
-<listitem><para>A special kind of contact in the contact folder consisting of a concrete 
+<variablelist><title>Local distribution list</title>
+<varlistentry><term><filename>Personal distribution list</filename></term>
+<listitem>
+<para>
+A special kind of contact in the contact folder consisting of a concrete 
 list of named users. This feature is already built into Outlook but needs to be implemented 
 in the KDE Kontact client in a compatible manner. Kontact uses references to unique contact entries
 in the contact folders.
-</para></listitem>
-
-Central distribution list
-<listitem><para>
+</para>
+</listitem>
+</varlistentry>
+<varlistentry><term>Central distribution list</term>
+<listitem>
+<para>
 Kolab maintains central distribution list with GroupOfNames LDAP objects.
-        
-        http://www.alvestrand.no/objectid/2.5.6.9.html
+see also http://www.alvestrand.no/objectid/2.5.6.9.html</para>
+</listitem>
+</varlistentry>
+</variablelist>
 </para>
+
 <para>
+<programlisting>
+<![CDATA[
 groupOfNames OBJECT-CLASS ::= {
         SUBCLASS OF { top }
         MUST CONTAIN { commonName | member }
@@ -349,8 +381,11 @@
         }
         ID id-oc-groupOfNames
 }
+]]>
+
+</programlisting>
 </para>
-</orderedlist>
+
 <para>
 The KDE Kolab client gets central distribution list from LDAP and is able to create a local 
 copy in the address book which is then stored in the contacts folder.
@@ -366,19 +401,28 @@
 menu and a dialog.
 </para>
 <para>
-When accessing folders of other users the identitiy of the user does <emph>not</emph> change. The 
+When accessing folders of other users the identitiy of the user does <emphasis>not</emphasis> change. The 
 client must provide in the GUI a mean to configure the displayed prefix to folders not belonging
 to the current user. Internally the server uses the prefix "user". There are two kind of such folders.
 </para>
+
+<para>
 <orderedlist>
-<listitem>Folders of other users with explicit access priviledges granted either to the user or to 
+<listitem>
+<para>
+Folders of other users with explicit access priviledges granted either to the user or to 
 a group where the user belongs to. Typically this involves folders in secretary/boss situations or small adhoc teams.
+</para>
 </listitem>
-<listitem>Shared folders not belonging to any specific user with explicit access priviledges granted either to the user or to 
+<listitem>
+<para>
+Shared folders not belonging to any specific user with explicit access priviledges granted either to the user or to 
 a group where the user belongs to. These global shared folders get typically administered from the maintainers and administrators of the server and serve a larger group of people for an extended period of time.
+</para>
 </listitem>
 </orderedlist>
 </para>
+
 <para>
 When working with any folder the default identity for sending messages (e.g. email, calendar invitations etc.) 
 is the real. In addition the user has the choice of graphically choosing the effective 

Index: concept.sgml
===================================================================
RCS file: /kolabrepository/doc/architecture/concept.sgml,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- concept.sgml	16 Mar 2004 14:39:23 -0000	1.9
+++ concept.sgml	17 Mar 2004 13:07:49 -0000	1.10
@@ -32,34 +32,67 @@
 and Postscript output is generated automatically and depends on the
 tools used. </para>
 <para>
-Windows XP, WindowsNT, Exchange, and Outlook are registered trademarks of Microsoft Corporation Inc.
-Insight Connector is a registered trademark of Bynari Inc. Toltec Connector is a trademark of Toltec.
-Konsec Connector is a trademark of Konsec. Aethera is a trademark of theKompany.com,
-HotSync is a registered trademark of Palm Inc. All other herein mentioned trademarks belong
-to their respective owners.
+<trademark class='registered'>Windows XP</trademark>,
+<trademark class='registered'>Windows NT</trademark>,
+<trademark class='registered'>Microsoft Exchange</trademark> and
+<trademark class='registered'>Microsoft Outlook</trademark>
+are registered trademarks of Microsoft Corporation Inc.
+<trademark class='registered'>Insight Connector</trademark>
+is a registered trademark of Bynari Inc. 
+<trademark>Toltec Connector</trademark>
+is a trademark of Toltec Inc..
+<trademark>Konsec Connector</trademark>
+is a trademark of Konsec. 
+<trademark class='registered'>Aethera</trademark>
+is a trademark of theKompany.com,
+<trademark class='registered'>HotSync</trademark>
+is a registered trademark of Palm Inc.. 
+<trademark>K Desktop Environment</trademark> and <trademark>KDE</trademark>
+are trademarks of the KDE e.V.
+</para>
+<para>
+All other herein mentioned trademarks belong
+to their respective owners.  Use of a term in this book should not be regarded as 
+affecting the validity of any trademark or service mark.
+</para>
+<para>
+Finally, the authors of this book are not liable for any errors found as well as anything that may cause a fault. However, if that does occur, please notify the authots so corrections can be made. Furthermore, the reader must also agree to use the information in this book  at his/her own risk and relinquish the authors, from any mistakes due to this book. If not, please stop reading now.
+</para>
+<para>
+BECAUSE THE CONTENT IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE CONTENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW. THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE CONTENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK OF USE OF THE CONTENT IS WITH YOU. SHOULD THE CONTENT PROVE FAULTY, INACCURATE, OR OTHERWISE UNACCEPTABLE YOU ASSUME THE COST OF ALL NECESSARY REPAIR OR CORRECTION. 
+</para>
+<para>
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MIRROR AND/OR REDISTRIBUTE THE CONTENT AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE CONTENT, EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
 </para>
 </legalnotice>
 <revhistory>
+
 <revision>
 <revnumber>1.0</revnumber>
 <date>September 10th 2002</date>
 </revision>
+
 <revision>
 <revnumber>1.0.1</revnumber>
 <date>September 19th 2002</date>
 </revision>
+
 <revision>
 <revnumber>1.0.2</revnumber>
 <date>January 13th 2003</date>
 </revision>
+
 <revision>
 <revnumber>1.0.3</revnumber>
 <date>January 28th 2003</date>
 </revision>
+
 <revision>
 <revnumber>1.1</revnumber>
 <date>February 20th 2003</date>
 </revision>
+
+<revision>
 <revnumber>1.9</revnumber>
 <date>March 16th 2004</date>
 </revision>

Index: server.sgml
===================================================================
RCS file: /kolabrepository/doc/architecture/server.sgml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- server.sgml	17 Mar 2004 09:57:04 -0000	1.4
+++ server.sgml	17 Mar 2004 13:07:49 -0000	1.5
@@ -201,7 +201,7 @@
 </sect2>
 
 <sect2><title>Access Control Lists</title>
-<para>Access Permissions are handled on <emph>folder</emph> level not on
+<para>Access Permissions are handled on <emphasis>folder</emphasis> level not on
 a message level. The
 user shall be able to query the GUI about access permissions of every
 folder via RMB menu (menue reachable via clicking right mouse button).
@@ -209,76 +209,146 @@
 clients including the webclient.
 </para>
 
-<orderedlist>On the server side we have to implement multiple things:
+<para>On the server side we have to implement multiple things:</para>
+<orderedlist>
 <listitem>
-Provide an API and usage documentation for the access permissions (See
+<para>Provide an API and usage documentation for the access permissions (See
 definitions below for NONE, READ, APPEND, WRITE and ALL)
+</para>
 </listitem>
 <listitem>
-Provide a webgui for watching/manipulating access permissions for the
+<para>Provide a webgui for watching/manipulating access permissions for the
 user
+</para>
 </listitem>
 <listitem>
-Provide a webgui for watching/manipulating access permissions for the
+<para>Provide a webgui for watching/manipulating access permissions for the
 maintainers/administrators
+</para>
 </listitem>
 </orderedlist>
 
 <para>
-API for access permissions is derived from the cyrus stuff.
+API for access permissions as implemented in the cyrus imapd. The affected IMAP commands are written in brackets.
 </para>
 
-<orderedlist>The basic ACLs are
+<variablelist><title>The basic internal IMAP ACLs</title>
+<varlistentry><term><filename>l</filename></term>
 <listitem>
-l    Lookup (visible to LIST/LSUB/UNSEEN)
+<para>
+Lookup (visible to LIST/LSUB/UNSEEN)
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>r</filename></term>
 <listitem>
-r    Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
+<para>
+Read (SELECT, CHECK, FETCH, PARTIAL, SEARCH, COPY source)
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>s</filename></term>
 <listitem>
-s    Seen (STORE \SEEN)
+<para>
+Seen (STORE \SEEN)
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>w</filename></term>
 <listitem>
-w    Write flags other than \SEEN and \DELETED
+<para>
+Write flags other than \SEEN and \DELETED
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>i</filename></term>
 <listitem>
-i    Insert (APPEND, COPY destination)
+<para>
+Insert (APPEND, COPY destination)
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>c</filename></term>
 <listitem>
-c    Create (subfolders)
+<para>
+Create (subfolders)
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>d</filename></term>
 <listitem>
-d    Delete (STORE \DELETED, EXPUNGE)
+<para>
+Delete (STORE \DELETED, EXPUNGE)
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>a</filename></term>
 <listitem>
-a    Administer (SETACL)
+<para>
+Administer (SETACL)
+</para>
 </listitem>
-<orderedlist>
+</varlistentry>
+
+</variablelist>
 
 <para> These Cyrus access permission are combined in different ways in order to obtain Kolab access permissions. The user shall neither
 directly see nor manipulate the Cyrus access permissions.
 </para>
 
-<orderedlist>We define therefore
+<variablelist><title>The Kolab Access permissions</title>
+
+<varlistentry><term><filename>NONE</filename></term>
 <listitem>
-NONE    -
+<para>
+-
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>READ</filename></term>
 <listitem>
-READ    lrs
+<para>
+lrs
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>APPEND</filename></term>
 <listitem>
-APPEND  lrsi
+<para>
+lrsi
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>WRITE</filename></term>
 <listitem>
-WRITE   lrsiwcd
+<para>
+lrsiwcd
+</para>
 </listitem>
+</varlistentry>
+
+<varlistentry><term><filename>ALL</filename></term>
 <listitem>
-ALL     lrsiwcda
+<para>
+lrsiwcda
+</para>
 </listitem>
-<orderedlist>
+</varlistentry>
 
-<para>Only these five high level Kolab access control permissions shall be available
-via the Kolab clients.
+</variablelist>
+
+<para>Only these five high level Kolab access control permissions shall be used and available
+via the Kolab clients to the user. The Kolab client must use the native Cyrus ACLs in the backend.
 </para>
 
 <para>
@@ -297,23 +367,45 @@
 <para>
 For special purpose (e.g. bulletin boards) we use the following access control list
 </para>
+
+<variablelist><title>The special purpose Kolab Access permissions</title>
+<varlistentry><term><filename>READ ANON</filename></term>
+<listitem>
 <para>
-READ ANON lr
+lr
 </para>
+</listitem>
+</varlistentry>
+<varlistentry><term><filename>READ HIDDEN</filename></term>
+<listitem>
 <para>
-The specified user/group can see the folder and can read it, but the
-server does not preserve the "Seen" and "Recent" flags. This set of rights
-is primarily useful for anonymous IMAP and public shared folders.
+rs
 </para>
+</listitem>
+</varlistentry>
+</variablelist>
+
 <para>
-READ HIDDEN rs
+
 </para>
 <para>
-The specified user/group can read the mailbox and the server preserves the
-"Seen" and "Recent" flags, but the mailbox is not visible to the user
+The <filename>READ ANON</filename> Kolab access permission is used if the specified user/group shall
+ see the folder and can read it, but the
+server does not preserve the "Seen" and "Recent" flags. This set of rights
+is primarily useful for anonymous IMAP and public shared folders, where the permanent 
+update of the flags by one user would be confusing the other users.
+</para>
+
+<para>
+The <filename>READ HIDDEN</filename> Kolab access permission is used if the specified user/group 
+shall be able to read the mailbox and the server preserves the
+"Seen" and "Recent" flags, but the mailbox is not visible to the users
 through the various mailbox listing commands. The user/group must know the
-name of the mailbox to be able to access it. This set of rights is useful for non public shared folders.
+name of the mailbox to be able to access it. This set of rights is useful for non public shared folders
+and avoid unecessary leak of information (names of folders not accessable to the user) and also 
+avoid questions at the helpdesk.
 </para>
+
 <para>
 Basically the user is using the Kolab client using his primary 
 identity. Based on
@@ -371,7 +463,6 @@
 functionality is not needed.</para>
 
 <para>FTP is deactivated by default, for security reasons.</para>
-</sect1>
 
 <sect1><title> Kolab Server Backup Strategy </title>
 <para>One of the biggest advantages of using the maildir format on the Kolab server is, that no
@@ -384,6 +475,15 @@
 an a single large binary object, that actually would require 
 a shutdown or a highly sophisticated online-backup 
 mechanism for save backup and restore procedures.</para>
+
+<sect2><title>Backup of IMAP Store</title>
+<para>Missing
+<para>
+</sect2>
+<sect2><title>Backup of LDAP Directory</title>
+<para>Missing
+<para>
+</sect2>
 </sect1>
 
 <sect1><title>Administrator User Interface</title>





More information about the commits mailing list