lnacls

Command line utility that edits Lotus Notes database ACL's

Ilya Evseev

<ilya_evseevATmailDOTru>

Copyright 2000, 2004 Evseev

Table of Contents

Short description
Distribution terms
Usage
Examples
Common requirements
Building under Win32
Running under Win32
Building under Linux
Running under Linux
Bugs/ToDo
History/Changes

Short description

LNACLs is the small console utility for editing ACL (access control list) of Lotus Notes/Domino databases. It provides you command line interface (CLI) like XCACLs from NT Resource Kit, if you know. The first and the main goal of LNACLs is the fast batch processing of multiple databases.

Example 1: disable access for group "NoAccess" to all databases.

lnacls.exe *.nsf =NoAccess:Group:NoAccess:

Example 2: allow access for Domino admins group to all mail databases.

lnacls.exe mail\*.nsf +LocalDomainAdministrators:PGroup:Manager

This saves your time and is more reliable than multiple mouse clicking!

More once goal is a blackbox unlocking on non-Windows servers. Currently we don't have Notes desktop on Unix-powered servers. So, we cannot (well, I don't know how) change ACL of database created or replicated to Unix server with incorrect ACL that don't allows us to control them from another host using Administration Client. But this can be done by LNACLs executed on server host, as shown in examples above.

Currently supported platforms are Win32 and Linux. Ports to other platforms are ease and welcome.

Distribution terms

I'm not jurisprudence expert. Dmitry Sklyarov's experience prevents me from visiting USA and from contacts with the Great American Justice. I distribute my own software under terms of GNU GPL (GNU General Public License) and hope to gain no problems in future: from Lotus, from Microsoft, from FBI, from GazProm+KGB (killers of independent russian TV), from manufacturer of my mouse (I prefer Genius) or from somebody else. In short, I understand rules of GNU GPL as following:

  • you can freely download, use, modify and re-distribute my sources and binaries;
  • you cannot distribute modified binaries without appropriated source code;
  • you cannot remove my name and my e-mail from sources/binaries;
  • (optional) all changes you made to my sources are published to Internet community and delivered to me for merging into my development branch;
  • (optional) I should be notified when you publish software based on my stuff;
  • my software is provided "as is", i.e. without any warranty.

Usage

lnacls [:server] filenames.. [ACL.. [filenames.. [ACL..]]]

First, arguments containing spaces should be quoted by "". Second, «lnacls | more» gives you upmost detailed instruction.

Filenames:

  • if command line doesn't contain filenames, filenames are readed from standard input.
  • filenames without absolute path are related to Notes data directory, for example, mail\ievseev.nsf will be interpreted as c:\lotus\notes\data\mail\ievseev.nsf.

When there are no ACL in command line, current ACL will be displayed.

ACL format: 

[!]{+|-|=}[UserName]:[UserType]:[Level]:[Modifiers]:[Roles]

First ACL character:

  • "!" deletes all entries from database ACL before editing
  • "+" adds attributes to existing entry (or creates new entry)
  • "-" removes attributes from existing entry, or completely removes entry
  • "=" replaces existing entry by new attributes (or creates new entry)

Username:

  • must be complete (with OU, organization and country);
  • can be in common or abbreviated form;
  • empty username is treated as "-Default-".

Other parts, when missing, are treated as “this part is still unchanged”.

UserType:

  • one from: Person, Server, Group, PGroup, SGroup, Unknown,
  • case-insensetive, may be shorten: P = Person, Unk = Unknown, etc.

Level:

  • one from: NoAccess, Depositor, Reader, Author, Designer, Manager,
  • case-insensetive, may be shorten: No = NoAccess, R = Reader, Des = Designer, etc.

Modifiers:

  • cd = Create documents
  • dd = Delete documents
  • cpa = Create personal agents
  • cpf = Create personal folders/views
  • csf = Create shared folders/views
  • cls = Create LotusScript/Java agents
  • rpd = Read public documents
  • wpd = Write public documents

Multiple modifiers and roles are separated by "+", for example: cd+dd.

Environment variables:

  • NO_ROLES : set/unset to simplify/restore dump format;
  • DOMINO_SERVER=name : set/unset for using local or remote server.

Examples

Dump ACL of main Notes address book or Domino Directory database:

lnacls names

Create new entry or add attributes to existing NotesSrv entry:

lnacls names +NotesSrv/UCVT/RU:server:author:cpa+cpf:GroupCreator

Replace existing MyServers entry (old attributes are lost) or create new:

lnacls names =MyServers:sgroup:edi::UserCreator+UserModifier

Remove attributes from existing entry:

lnacls names -NotesSrv/UCVT/RU:::cpf:UserCreator

Completely remove existing Serv1 entry from NAB and LOG databases, add new Serv2 entry to both, then dump resulting ACL's:

lnacls names log -Serv1/UCVT/RU +Serv2/UCVT/RU:serv:reader names log

Common requirements

  • For running: Lotus Notes or Lotus Domino (tested with 4.6 and 5.0) must be installed by usual way.
  • For compiling binaries from sources: C compiler and Notes C API for appropriate platform that may be downloaded freely from Lotus.

Building under Win32

Consider following installation paths:

  • Lotus Notes/Domino is installed to C:\Lotus\Notes;
  • Notes C API is installed to C:\Lotus\NotesAPI.

Using M$ Visual C++:

  • Set correct environment for running command-line compiler named CL.EXE:
    • on my system this is done by calling vcvars32.bat from %DevStudio%\BIN directory;
    • don't close Command Prompt window between calling vcvars32.bat and typing next command!
  • Run compiler (this is single command that must be resided entirely on single line):
    cl.exe /MD /IC:\Lotus\NotesAPI\Include lnacls.c C:\Lotus\NotesAPI\Lib\MSWin32\notes.lib

Using Borland C++ (tested with v5.5, freely available from www.borland.com):

  • Create import library for C:\Lotus\Notes\nnotes.dll using standard Borland's IMPLIB utility:
    implib nnotes_bc.lib c:\lotus\notes\nnotes.dll
    This should be done only once. Place generated nnotes_bc.lib to LNACL's source directory.
  • Run compiler:
    bcc32.exe -IC:\Lotus\NotesAPI\Include lnacls.c

Running under Win32

For running lnacls.exe, C:\Lotus\Notes\nnotes.dll and NOTES.INI should be in the current directory or should be visible through PATH environment variable. Under Windows'95/98/ME, add following line to end of your C:\Autoexec.bat and reboot:

set PATH=C:\Lotus\Notes;%PATH%

Better way: place lnacls.exe directly to C:\Lotus\Notes directory.

This is important under old Windows'95 (build 4.00.950) for running VisualC++-based version only: check that msvcrt.dll (Micro$oft Visual C Run-Time Library) actually exists in C:\WINDOWS\System directory.

Building under Linux

Consider following installation paths:

  • Lotus Domino program is installed to /opt/lotus (with notes, notesdata and bin subdirectories);
  • Notes C API is installed to /opt/lotus/notesapi.

Step 1. Create temporary directory and unzip lnacls_src.zip to him: 

mkdir -p ~/src/lnacls
cd ~/src/lnacls
unzip /where/you/place/lnacls_src.zip
chmod +x nloader

Step 2. Edit ~/src/lnacls/nloader file: change "DOMPATH=" (path to binary files where is libnotes.so) and "NOTES_INI=" (full pathname of notes.ini) lines to proper values. nloader is the simple bash script for starting standalone Notes apps in correct environment.

Step 3. Edit linux.mak: change "LOTUS=" and "NOTESAPI=" lines to proper values.

Step 4. Run make: 

make -f linux.mak TARGET=lnacls
make -f linux.mak TARGET=lnerror

Running under Linux

Run it! For example: 

./nloader ./lnacls log.nsf +LocalDomainAdministrators:PGroup:Manager
./nloader ./lnerror 0x1A5 421

Support of KOI8-R for russian users is provided when LC_CTYPE environment variable contains "ru_RU.KOI8-R" value only.

Bugs/ToDo

  • (dirty workarounded for KOI8-r) Linux version don't support locales. OSTranslate() always returns unchanged text.
  • Linux version may expect additional filenames/switches from console instead of immediate processing command line args. Press Ctrl+D.
  • Multiple Ctrl+Break pressing while lnacls works may hangup Domino engine completely. In my opinion, Domino seems very unreliable software.
  • lnacls always looks INI-file named notes.ini. We cannot use standard '=path_to_another_notes.ini' feature in command line because '=' is already used for my own purpose now.
  • Unicode support is requested by lot of hyper-advanced users, but is not planned now because it's too difficult to implement.
  • Build RPM for Linux users.

History/Changes

  • Feb 2000 - Originally written in Java. Not finished.
  • Apr 2000 - v1.0: written in C++ using C++ API. Uses big LNCPP DLL from Lotus.
  • Feb 2001 - v2.0: rewritten using C. It's now cool ;)
  • Sep 2001 - ported to Linux.
  • Nov 2001
    • v2.0/2.1 published to Internet
    • support national usernames and roles (under Unix: for KOI8-r only)
    • small standalone lnerror utility added
    • correctly handles quotes in command line under Unix, other nloader bugfixes.
  • Sep 2003
    • documentation is converted from separate plain text and Domino RTF to single HTML
    • old hosting on ucvt.ru dead
  • Mar 2004
    • new hosting on narod.ru
    • documentation converted to DocBook/XML

Хостинг от uCoz