Reseller Bundle: Difference between revisions

From Open-Xchange
Line 47: Line 47:


The reseller package requires additional tables in the configdb database
The reseller package requires additional tables in the configdb database
as well as the package open-xchange-admin-plugin-autocontextid to be installed.
as well as the package open-xchange-admin-autocontextid to be installed.


open-xchange-admin-plugin-autocontextid introduces the feature, that context ids
open-xchange-admin-autocontextid introduces the feature, that context ids
can no longer be specified and maintained by the system administrator, but are
can no longer be specified and maintained by the system administrator, but are
now generated by open-xchange itself. This is a requirement since reseller
now generated by open-xchange itself. This is a requirement since reseller
Line 57: Line 57:


  $ mysql -u openexchange -p<YOURPW> configdb \
  $ mysql -u openexchange -p<YOURPW> configdb \
     < /opt/open-xchange/etc/admindaemon/mysql/reseller.sql
     < /opt/open-xchange/etc/mysql/reseller.sql
  $ mysql -u openexchange -p<YOURPW> configdb \
  $ mysql -u openexchange -p<YOURPW> configdb \
     < /opt/open-xchange/etc/admindaemon/mysql/autocid.sql
     < /opt/open-xchange/etc/mysql/autocid.sql


or on a fresh setup, when running initconfigdb, add the following arguments:
or on a fresh setup, when running initconfigdb, add the following arguments:
Line 66: Line 66:
     --addon-sql "reseller.sql autocid.sql"
     --addon-sql "reseller.sql autocid.sql"


'''Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in <tt>/opt/open-xchange/etc/admindaemon/AdminDaemon.properties</tt>'''
'''Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in <tt>/opt/open-xchange/etc/AdminDaemon.properties</tt>'''


== Initializing the restrictions ==
== Initializing the restrictions ==

Revision as of 06:02, 17 July 2013

Open-Xchange Reseller package

The reseller package introduces an additional layer of permissions, so called subadmins.

  • subadmins can be managed by the oxadminmaster account
  • subadmins are oxadminmaster accounts with restricted rights:
    • they can only manage contexts (no database, filestore, etc)
    • they can only manage their own contexts (list/change/delete)
    • they might be able to create further subadmins (see below)

The corresponding documentation of restrictions available and what they do can be found in the javadoc api documentation found in /usr/share/doc/open-xchange-admin-plugin-reseller/javadoc/doc on Debian.

These are basically the restrictions available:

Subadmin.MaxOverallUser
  - the maximum number of users a subadmin can create distributed over all it's
    contexts
Subadmin.MaxContext
  - the maximum number of contexts a subadmin can create
Context.MaxUser
  - the maximum number of users in a single context a contextadmin can create
    Note: this is a restriction, a subadmin can apply to each context
Subadmin.MaxOverallContextQuota
  - the maximum number of quota distributed over all contexts a subadmin
    can use
Subadmin.CanCreateSubadmin
  - Should this subadmin be able to create subsubadmins? This is NOT allowed by default.
    There's also only one additional level. Note: A subsubadmin cannot create any further
    subadmins.
Subadmin.MaxSubadmin
  - If a subadmin is allowed to create subsubadmins, should there be a maximum?

plus all the restrictions based on module access combinations as found in /opt/open-xchange/etc/admindaemon/ModuleAccessDefinitions.properties

Install on OX AppSuite

Debian GNU/Linux 11.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/products/stable/DebianBullseye/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/stable/updates/DebianBullseye/ /

and run

$ apt-get update
$ apt-get install open-xchange-admin-plugin-reseller

Debian GNU/Linux 12.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/products/stable/DebianBookworm/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/stable/updates/DebianBookworm/ /

and run

$ apt-get update
$ apt-get install open-xchange-admin-plugin-reseller


Setup and Configuration

The reseller package requires additional tables in the configdb database as well as the package open-xchange-admin-autocontextid to be installed.

open-xchange-admin-autocontextid introduces the feature, that context ids can no longer be specified and maintained by the system administrator, but are now generated by open-xchange itself. This is a requirement since reseller admins do not know, which context ids are already used.

To add the new tables to the configdb, either run

$ mysql -u openexchange -p<YOURPW> configdb \
   < /opt/open-xchange/etc/mysql/reseller.sql
$ mysql -u openexchange -p<YOURPW> configdb \
   < /opt/open-xchange/etc/mysql/autocid.sql

or on a fresh setup, when running initconfigdb, add the following arguments:

$ /opt/open-xchange/sbin/initconfigdb --configdb-pass secret -a \
   --addon-sql "reseller.sql autocid.sql"

Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in /opt/open-xchange/etc/AdminDaemon.properties

Initializing the restrictions

After the additional tables in the configdb have been created, the restrictions must be initialized. This can be done via RMI, SOAP or on commandline using

$ initrestrictions -A oxadminmaster -P secret


Manage subadmins

Subadmin accounts can be managed via the create/change/deleteadmin commands installed to /opt/open-xchange/sbin

Example:

$ /opt/open-xchange/sbin/createadmin -A oxadminmaster -P secret -u testadmin \
   -d "Test Subadmin" -p secret -a Subadmin.MaxContext=2000 \
   -a Subadmin.MaxOverallUser=2100 \
   -a Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010

Would create a subadmin which is able to create max. 2000 contexts containing max. 2100 users and of these users, max. 2010 can have the module access combination webmail_plus.

list it with

$ /opt/open-xchange/sbin/listadmin -A oxadminmaster -P secret
Id Name      Displayname   Restrictions
36 testadmin Test Subadmin Subadmin.MaxOverallUser=2100,Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010,Subadmin.MaxContext=2000


Manage contexts

When the reseller package has been installed, context listings contain additional information such as the owner of the single contexts.

$ /opt/open-xchange/sbin/listcontext -A oxadminmaster -P secret
cid fid fname       enabled qmax qused name        lmappings   CustomID         Owner
  1   3 1_ctx_store true     500     0 1                                        oxadminmaster
  2   3 2_ctx_store true     500     0 example.com example.com                  oxadminmaster
  3   3 3_ctx_store true     500     0 3                                        oxadminmaster
  4   3 4_ctx_store true     500     0 4                       a custom id 1234 testadmin    

The subadmin called testadmin can only list it's own context(s):

$ /opt/open-xchange/sbin/listcontext -A testadmin -P secret
cid fid fname       enabled qmax qused name lmappings CustomID         Owner    
  4   3 4_ctx_store true     500     0 4              a custom id 1234 testadmin

Using the SOAP Interface

To use the soap interface, you need to install open-xchange-admin-plugin-reseller-soap in addition.

Due to the fact, that we cannot use the plugin mechanism we're using in Java to extend the existing objects, the APIs and objects

  • OXContext
  • OXGroup
  • OXResource
  • OXUser
  • Context

had to be wrapped into new APIs

  • OXResellerContext
  • OXResellerGroup
  • OXResellerResource
  • OXResellerUser
  • ResellerContext

and the corresponding SOAP URLs

and of course the additional API to manage the subadmin accounts:

That also means that the existing SOAP interfaces for the mentioned classes above cannot be used anymore when installing the reseller package.

ResellerContext just adds some additional members to the existing Context object and the corresponding APIs just oberate on and return this wrapped class.