Reseller Bundle: Difference between revisions

From Open-Xchange
 
(9 intermediate revisions by 2 users not shown)
Line 7: Line 7:
** they can only manage contexts (no database, filestore, etc)
** they can only manage contexts (no database, filestore, etc)
** they can only manage their own contexts (list/change/delete)  
** they can only manage their own contexts (list/change/delete)  
** they might be able to create further subadmins (see below)


The corresponding documentation of restrictions available and what they do can
The corresponding documentation of restrictions available and what they do can
be found in the javadoc api documentation found in
be found in the javadoc api documentation found in
/usr/share/doc/open-xchange-admin-plugin-reseller/javadoc/doc on Debian.
/usr/share/doc/open-xchange-admin-reseller/javadoc/doc on Debian.
 
== Restrictions ==


These are basically the restrictions available:
These are basically the restrictions available:
Line 38: Line 41:
   
   
plus all the restrictions based on module access combinations as found in  
plus all the restrictions based on module access combinations as found in  
/opt/open-xchange/etc/admindaemon/ModuleAccessDefinitions.properties
/opt/open-xchange/etc/ModuleAccessDefinitions.properties


{{InstallPlugin|pluginname=open-xchange-admin-plugin-reseller|sopath=stable}}
{{InstallPlugin|version=6.22 or later|pluginname=open-xchange-admin-reseller|toplevel=products|sopath=appsuite/stable/backend}}


== Setup and Configuration ==
== Setup and Configuration ==
Line 46: Line 49:


The reseller package requires additional tables in the configdb database
The reseller package requires additional tables in the configdb database
as well as the package open-xchange-admin-plugin-autocontextid to be installed.
as well as the package open-xchange-admin-autocontextid to be installed.


open-xchange-admin-plugin-autocontextid introduces the feature, that context ids
open-xchange-admin-autocontextid introduces the feature, that context ids
can no longer be specified and maintained by the system administrator, but are
can no longer be specified and maintained by the system administrator, but are
now generated by open-xchange itself. This is a requirement since reseller
now generated by open-xchange itself. This is a requirement since reseller
admins do not know, which context ids are already used.
admins do not know, which context ids are already used.


In OX App Suite version 7.10.1 and before you need to add those tables manually. In newer versions the tables are added automatically.
To add the new tables to the configdb, either run
To add the new tables to the configdb, either run


  $ mysql -u openexchange -p<YOURPW> configdb \
  $ mysql -u openexchange -p<YOURPW> configdb \
     < /opt/open-xchange/etc/admindaemon/mysql/reseller.sql
     < /opt/open-xchange/etc/mysql/reseller.sql
  $ mysql -u openexchange -p<YOURPW> configdb \
  $ mysql -u openexchange -p<YOURPW> configdb \
     < /opt/open-xchange/etc/admindaemon/mysql/autocid.sql
     < /opt/open-xchange/etc/mysql/autocid.sql


or on a fresh setup, when running initconfigdb, add the following arguments:
or on a fresh setup, when running initconfigdb, add the following arguments:
Line 65: Line 69:
     --addon-sql "reseller.sql autocid.sql"
     --addon-sql "reseller.sql autocid.sql"


'''Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in <tt>/opt/open-xchange/etc/AdminDaemon.properties</tt>'''


== Initializing the restrictions ==
== Initializing the restrictions ==


After the additional tables in the configdb have been created, the restrictions
After the additional tables in the configdb have been created (may require restart), the restrictions
must be initialized. This can be done via RMI, SOAP or on commandline using
must be initialized. This can be done via RMI, SOAP or on commandline using


  $ initrestrictions -A oxadminmaster -P secret
  $ initrestrictions -A oxadminmaster -P secret


== Manage subadmins ==
== Manage subadmins ==
Line 117: Line 121:
== Using the SOAP Interface ==
== Using the SOAP Interface ==


To use the soap interface, you need to install <tt>open-xchange-admin-plugin-reseller-soap</tt> in addition.
To use the soap interface, you need to install <tt>open-xchange-admin-soap-reseller</tt> in addition.


Due to the fact, that we cannot use the plugin mechanism we're using in Java to
Due to the fact, that we cannot use the plugin mechanism we're using in Java to
Line 138: Line 142:
and the corresponding SOAP URLs
and the corresponding SOAP URLs


* http://localhost/servlet/axis2/services/OXResellerContextService?wsdl
* http://localhost/webservices/OXResellerContextService?wsdl
* http://localhost/servlet/axis2/services/OXResellerUserService?wsdl
* http://localhost/webservices/OXResellerUserService?wsdl
* http://localhost/servlet/axis2/services/OXResellerGroupService?wsdl
* http://localhost/webservices/OXResellerGroupService?wsdl
* http://localhost/servlet/axis2/services/OXResellerResourceService?wsdl
* http://localhost/webservices/OXResellerResourceService?wsdl


and of course the additional API to manage the subadmin accounts:  
and of course the additional API to manage the subadmin accounts:  


* http://localhost/servlet/axis2/services/OXResellerService?wsdl
* http://localhost/webservices/OXResellerService?wsdl


That also means that the existing SOAP interfaces for the mentioned classes
That also means that the existing SOAP interfaces for the mentioned classes

Latest revision as of 16:52, 3 December 2019

Open-Xchange Reseller package

The reseller package introduces an additional layer of permissions, so called subadmins.

  • subadmins can be managed by the oxadminmaster account
  • subadmins are oxadminmaster accounts with restricted rights:
    • they can only manage contexts (no database, filestore, etc)
    • they can only manage their own contexts (list/change/delete)
    • they might be able to create further subadmins (see below)

The corresponding documentation of restrictions available and what they do can be found in the javadoc api documentation found in /usr/share/doc/open-xchange-admin-reseller/javadoc/doc on Debian.

Restrictions

These are basically the restrictions available:

Subadmin.MaxOverallUser
  - the maximum number of users a subadmin can create distributed over all it's
    contexts
Subadmin.MaxContext
  - the maximum number of contexts a subadmin can create
Context.MaxUser
  - the maximum number of users in a single context a contextadmin can create
    Note: this is a restriction, a subadmin can apply to each context
Subadmin.MaxOverallContextQuota
  - the maximum number of quota distributed over all contexts a subadmin
    can use
Subadmin.CanCreateSubadmin
  - Should this subadmin be able to create subsubadmins? This is NOT allowed by default.
    There's also only one additional level. Note: A subsubadmin cannot create any further
    subadmins.
Subadmin.MaxSubadmin
  - If a subadmin is allowed to create subsubadmins, should there be a maximum?

plus all the restrictions based on module access combinations as found in /opt/open-xchange/etc/ModuleAccessDefinitions.properties

Install on OX 6.22 or later

Debian GNU/Linux 11.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/products/appsuite/stable/backend/DebianBullseye/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/appsuite/stable/backend/updates/DebianBullseye/ /

and run

$ apt-get update
$ apt-get install open-xchange-admin-reseller

Debian GNU/Linux 12.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/products/appsuite/stable/backend/DebianBookworm/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/appsuite/stable/backend/updates/DebianBookworm/ /

and run

$ apt-get update
$ apt-get install open-xchange-admin-reseller


Setup and Configuration

The reseller package requires additional tables in the configdb database as well as the package open-xchange-admin-autocontextid to be installed.

open-xchange-admin-autocontextid introduces the feature, that context ids can no longer be specified and maintained by the system administrator, but are now generated by open-xchange itself. This is a requirement since reseller admins do not know, which context ids are already used.

In OX App Suite version 7.10.1 and before you need to add those tables manually. In newer versions the tables are added automatically. To add the new tables to the configdb, either run

$ mysql -u openexchange -p<YOURPW> configdb \
   < /opt/open-xchange/etc/mysql/reseller.sql
$ mysql -u openexchange -p<YOURPW> configdb \
   < /opt/open-xchange/etc/mysql/autocid.sql

or on a fresh setup, when running initconfigdb, add the following arguments:

$ /opt/open-xchange/sbin/initconfigdb --configdb-pass secret -a \
   --addon-sql "reseller.sql autocid.sql"

Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in /opt/open-xchange/etc/AdminDaemon.properties

Initializing the restrictions

After the additional tables in the configdb have been created (may require restart), the restrictions must be initialized. This can be done via RMI, SOAP or on commandline using

$ initrestrictions -A oxadminmaster -P secret

Manage subadmins

Subadmin accounts can be managed via the create/change/deleteadmin commands installed to /opt/open-xchange/sbin

Example:

$ /opt/open-xchange/sbin/createadmin -A oxadminmaster -P secret -u testadmin \
   -d "Test Subadmin" -p secret -a Subadmin.MaxContext=2000 \
   -a Subadmin.MaxOverallUser=2100 \
   -a Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010

Would create a subadmin which is able to create max. 2000 contexts containing max. 2100 users and of these users, max. 2010 can have the module access combination webmail_plus.

list it with

$ /opt/open-xchange/sbin/listadmin -A oxadminmaster -P secret
Id Name      Displayname   Restrictions
36 testadmin Test Subadmin Subadmin.MaxOverallUser=2100,Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010,Subadmin.MaxContext=2000


Manage contexts

When the reseller package has been installed, context listings contain additional information such as the owner of the single contexts.

$ /opt/open-xchange/sbin/listcontext -A oxadminmaster -P secret
cid fid fname       enabled qmax qused name        lmappings   CustomID         Owner
  1   3 1_ctx_store true     500     0 1                                        oxadminmaster
  2   3 2_ctx_store true     500     0 example.com example.com                  oxadminmaster
  3   3 3_ctx_store true     500     0 3                                        oxadminmaster
  4   3 4_ctx_store true     500     0 4                       a custom id 1234 testadmin    

The subadmin called testadmin can only list it's own context(s):

$ /opt/open-xchange/sbin/listcontext -A testadmin -P secret
cid fid fname       enabled qmax qused name lmappings CustomID         Owner    
  4   3 4_ctx_store true     500     0 4              a custom id 1234 testadmin

Using the SOAP Interface

To use the soap interface, you need to install open-xchange-admin-soap-reseller in addition.

Due to the fact, that we cannot use the plugin mechanism we're using in Java to extend the existing objects, the APIs and objects

  • OXContext
  • OXGroup
  • OXResource
  • OXUser
  • Context

had to be wrapped into new APIs

  • OXResellerContext
  • OXResellerGroup
  • OXResellerResource
  • OXResellerUser
  • ResellerContext

and the corresponding SOAP URLs

and of course the additional API to manage the subadmin accounts:

That also means that the existing SOAP interfaces for the mentioned classes above cannot be used anymore when installing the reseller package.

ResellerContext just adds some additional members to the existing Context object and the corresponding APIs just oberate on and return this wrapped class.