Reseller Bundle: Difference between revisions
No edit summary |
|||
| Line 11: | Line 11: | ||
The corresponding documentation of restrictions available and what they do can | The corresponding documentation of restrictions available and what they do can | ||
be found in the javadoc api documentation found in | be found in the javadoc api documentation found in | ||
/usr/share/doc/open-xchange-admin | /usr/share/doc/open-xchange-admin-reseller/javadoc/doc on Debian. | ||
These are basically the restrictions available: | These are basically the restrictions available: | ||
| Line 39: | Line 39: | ||
plus all the restrictions based on module access combinations as found in | plus all the restrictions based on module access combinations as found in | ||
/opt/open-xchange/etc | /opt/open-xchange/etc/ModuleAccessDefinitions.properties | ||
{{InstallPlugin|pluginname=open-xchange-admin | {{InstallPlugin|pluginname=open-xchange-admin-reseller|sopath=stable}} | ||
== Setup and Configuration == | == Setup and Configuration == | ||
| Line 119: | Line 119: | ||
== Using the SOAP Interface == | == Using the SOAP Interface == | ||
To use the soap interface, you need to install <tt>open-xchange-admin- | To use the soap interface, you need to install <tt>open-xchange-admin-soap-reseller</tt> in addition. | ||
Due to the fact, that we cannot use the plugin mechanism we're using in Java to | Due to the fact, that we cannot use the plugin mechanism we're using in Java to | ||
| Line 140: | Line 140: | ||
and the corresponding SOAP URLs | and the corresponding SOAP URLs | ||
* http://localhost/ | * http://localhost/webservices/OXResellerContextService?wsdl | ||
* http://localhost/ | * http://localhost/webservices/OXResellerUserService?wsdl | ||
* http://localhost/ | * http://localhost/webservices/OXResellerGroupService?wsdl | ||
* http://localhost/ | * http://localhost/webservices/OXResellerResourceService?wsdl | ||
and of course the additional API to manage the subadmin accounts: | and of course the additional API to manage the subadmin accounts: | ||
* http://localhost/ | * http://localhost/webservices/OXResellerService?wsdl | ||
That also means that the existing SOAP interfaces for the mentioned classes | That also means that the existing SOAP interfaces for the mentioned classes | ||
Revision as of 06:04, 17 July 2013
Open-Xchange Reseller package
The reseller package introduces an additional layer of permissions, so called subadmins.
- subadmins can be managed by the oxadminmaster account
- subadmins are oxadminmaster accounts with restricted rights:
- they can only manage contexts (no database, filestore, etc)
- they can only manage their own contexts (list/change/delete)
- they might be able to create further subadmins (see below)
The corresponding documentation of restrictions available and what they do can be found in the javadoc api documentation found in /usr/share/doc/open-xchange-admin-reseller/javadoc/doc on Debian.
These are basically the restrictions available:
Subadmin.MaxOverallUser
- the maximum number of users a subadmin can create distributed over all it's
contexts
Subadmin.MaxContext - the maximum number of contexts a subadmin can create
Context.MaxUser
- the maximum number of users in a single context a contextadmin can create
Note: this is a restriction, a subadmin can apply to each context
Subadmin.MaxOverallContextQuota
- the maximum number of quota distributed over all contexts a subadmin
can use
Subadmin.CanCreateSubadmin
- Should this subadmin be able to create subsubadmins? This is NOT allowed by default.
There's also only one additional level. Note: A subsubadmin cannot create any further
subadmins.
Subadmin.MaxSubadmin - If a subadmin is allowed to create subsubadmins, should there be a maximum?
plus all the restrictions based on module access combinations as found in /opt/open-xchange/etc/ModuleAccessDefinitions.properties
Install on OX AppSuite
Debian GNU/Linux 11.0
Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:
deb https://software.open-xchange.com/products/stable/DebianBullseye/ /
# if you have a valid maintenance subscription, please uncomment the
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/stable/updates/DebianBullseye/ /
and run
$ apt-get update $ apt-get install open-xchange-admin-reseller
Debian GNU/Linux 12.0
Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:
deb https://software.open-xchange.com/products/stable/DebianBookworm/ /
# if you have a valid maintenance subscription, please uncomment the
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/stable/updates/DebianBookworm/ /
and run
$ apt-get update $ apt-get install open-xchange-admin-reseller
Setup and Configuration
The reseller package requires additional tables in the configdb database as well as the package open-xchange-admin-autocontextid to be installed.
open-xchange-admin-autocontextid introduces the feature, that context ids can no longer be specified and maintained by the system administrator, but are now generated by open-xchange itself. This is a requirement since reseller admins do not know, which context ids are already used.
To add the new tables to the configdb, either run
$ mysql -u openexchange -p<YOURPW> configdb \ < /opt/open-xchange/etc/mysql/reseller.sql $ mysql -u openexchange -p<YOURPW> configdb \ < /opt/open-xchange/etc/mysql/autocid.sql
or on a fresh setup, when running initconfigdb, add the following arguments:
$ /opt/open-xchange/sbin/initconfigdb --configdb-pass secret -a \ --addon-sql "reseller.sql autocid.sql"
Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in /opt/open-xchange/etc/AdminDaemon.properties
Initializing the restrictions
After the additional tables in the configdb have been created, the restrictions must be initialized. This can be done via RMI, SOAP or on commandline using
$ initrestrictions -A oxadminmaster -P secret
Manage subadmins
Subadmin accounts can be managed via the create/change/deleteadmin commands installed to /opt/open-xchange/sbin
Example:
$ /opt/open-xchange/sbin/createadmin -A oxadminmaster -P secret -u testadmin \ -d "Test Subadmin" -p secret -a Subadmin.MaxContext=2000 \ -a Subadmin.MaxOverallUser=2100 \ -a Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010
Would create a subadmin which is able to create max. 2000 contexts containing max. 2100 users and of these users, max. 2010 can have the module access combination webmail_plus.
list it with
$ /opt/open-xchange/sbin/listadmin -A oxadminmaster -P secret Id Name Displayname Restrictions 36 testadmin Test Subadmin Subadmin.MaxOverallUser=2100,Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010,Subadmin.MaxContext=2000
Manage contexts
When the reseller package has been installed, context listings contain additional information such as the owner of the single contexts.
$ /opt/open-xchange/sbin/listcontext -A oxadminmaster -P secret cid fid fname enabled qmax qused name lmappings CustomID Owner 1 3 1_ctx_store true 500 0 1 oxadminmaster 2 3 2_ctx_store true 500 0 example.com example.com oxadminmaster 3 3 3_ctx_store true 500 0 3 oxadminmaster 4 3 4_ctx_store true 500 0 4 a custom id 1234 testadmin
The subadmin called testadmin can only list it's own context(s):
$ /opt/open-xchange/sbin/listcontext -A testadmin -P secret cid fid fname enabled qmax qused name lmappings CustomID Owner 4 3 4_ctx_store true 500 0 4 a custom id 1234 testadmin
Using the SOAP Interface
To use the soap interface, you need to install open-xchange-admin-soap-reseller in addition.
Due to the fact, that we cannot use the plugin mechanism we're using in Java to extend the existing objects, the APIs and objects
- OXContext
- OXGroup
- OXResource
- OXUser
- Context
had to be wrapped into new APIs
- OXResellerContext
- OXResellerGroup
- OXResellerResource
- OXResellerUser
- ResellerContext
and the corresponding SOAP URLs
- http://localhost/webservices/OXResellerContextService?wsdl
- http://localhost/webservices/OXResellerUserService?wsdl
- http://localhost/webservices/OXResellerGroupService?wsdl
- http://localhost/webservices/OXResellerResourceService?wsdl
and of course the additional API to manage the subadmin accounts:
That also means that the existing SOAP interfaces for the mentioned classes above cannot be used anymore when installing the reseller package.
ResellerContext just adds some additional members to the existing Context object and the corresponding APIs just oberate on and return this wrapped class.