Reseller Bundle: Difference between revisions
Line 47: | Line 47: | ||
The reseller package requires additional tables in the configdb database | The reseller package requires additional tables in the configdb database | ||
as well as the package open-xchange-admin | as well as the package open-xchange-admin-autocontextid to be installed. | ||
open-xchange-admin | open-xchange-admin-autocontextid introduces the feature, that context ids | ||
can no longer be specified and maintained by the system administrator, but are | can no longer be specified and maintained by the system administrator, but are | ||
now generated by open-xchange itself. This is a requirement since reseller | now generated by open-xchange itself. This is a requirement since reseller | ||
Line 57: | Line 57: | ||
$ mysql -u openexchange -p<YOURPW> configdb \ | $ mysql -u openexchange -p<YOURPW> configdb \ | ||
< /opt/open-xchange/etc | < /opt/open-xchange/etc/mysql/reseller.sql | ||
$ mysql -u openexchange -p<YOURPW> configdb \ | $ mysql -u openexchange -p<YOURPW> configdb \ | ||
< /opt/open-xchange/etc | < /opt/open-xchange/etc/mysql/autocid.sql | ||
or on a fresh setup, when running initconfigdb, add the following arguments: | or on a fresh setup, when running initconfigdb, add the following arguments: | ||
Line 66: | Line 66: | ||
--addon-sql "reseller.sql autocid.sql" | --addon-sql "reseller.sql autocid.sql" | ||
'''Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in <tt>/opt/open-xchange/etc | '''Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in <tt>/opt/open-xchange/etc/AdminDaemon.properties</tt>''' | ||
== Initializing the restrictions == | == Initializing the restrictions == |
Revision as of 06:02, 17 July 2013
Open-Xchange Reseller package
The reseller package introduces an additional layer of permissions, so called subadmins.
- subadmins can be managed by the oxadminmaster account
- subadmins are oxadminmaster accounts with restricted rights:
- they can only manage contexts (no database, filestore, etc)
- they can only manage their own contexts (list/change/delete)
- they might be able to create further subadmins (see below)
The corresponding documentation of restrictions available and what they do can be found in the javadoc api documentation found in /usr/share/doc/open-xchange-admin-plugin-reseller/javadoc/doc on Debian.
These are basically the restrictions available:
Subadmin.MaxOverallUser - the maximum number of users a subadmin can create distributed over all it's contexts
Subadmin.MaxContext - the maximum number of contexts a subadmin can create
Context.MaxUser - the maximum number of users in a single context a contextadmin can create Note: this is a restriction, a subadmin can apply to each context
Subadmin.MaxOverallContextQuota - the maximum number of quota distributed over all contexts a subadmin can use
Subadmin.CanCreateSubadmin - Should this subadmin be able to create subsubadmins? This is NOT allowed by default. There's also only one additional level. Note: A subsubadmin cannot create any further subadmins.
Subadmin.MaxSubadmin - If a subadmin is allowed to create subsubadmins, should there be a maximum?
plus all the restrictions based on module access combinations as found in /opt/open-xchange/etc/admindaemon/ModuleAccessDefinitions.properties
Install on OX AppSuite
Debian GNU/Linux 11.0
Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:
deb https://software.open-xchange.com/products/stable/DebianBullseye/ /
# if you have a valid maintenance subscription, please uncomment the
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/stable/updates/DebianBullseye/ /
and run
$ apt-get update $ apt-get install open-xchange-admin-plugin-reseller
Debian GNU/Linux 12.0
Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:
deb https://software.open-xchange.com/products/stable/DebianBookworm/ /
# if you have a valid maintenance subscription, please uncomment the
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/stable/updates/DebianBookworm/ /
and run
$ apt-get update $ apt-get install open-xchange-admin-plugin-reseller
Setup and Configuration
The reseller package requires additional tables in the configdb database as well as the package open-xchange-admin-autocontextid to be installed.
open-xchange-admin-autocontextid introduces the feature, that context ids can no longer be specified and maintained by the system administrator, but are now generated by open-xchange itself. This is a requirement since reseller admins do not know, which context ids are already used.
To add the new tables to the configdb, either run
$ mysql -u openexchange -p<YOURPW> configdb \ < /opt/open-xchange/etc/mysql/reseller.sql $ mysql -u openexchange -p<YOURPW> configdb \ < /opt/open-xchange/etc/mysql/autocid.sql
or on a fresh setup, when running initconfigdb, add the following arguments:
$ /opt/open-xchange/sbin/initconfigdb --configdb-pass secret -a \ --addon-sql "reseller.sql autocid.sql"
Important: It is required to NOT set MASTER_AUTHENTICATION_DISABLED=true or CONTEXT_AUTHENTICATION_DISABLED=true in /opt/open-xchange/etc/AdminDaemon.properties
Initializing the restrictions
After the additional tables in the configdb have been created, the restrictions must be initialized. This can be done via RMI, SOAP or on commandline using
$ initrestrictions -A oxadminmaster -P secret
Manage subadmins
Subadmin accounts can be managed via the create/change/deleteadmin commands installed to /opt/open-xchange/sbin
Example:
$ /opt/open-xchange/sbin/createadmin -A oxadminmaster -P secret -u testadmin \ -d "Test Subadmin" -p secret -a Subadmin.MaxContext=2000 \ -a Subadmin.MaxOverallUser=2100 \ -a Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010
Would create a subadmin which is able to create max. 2000 contexts containing max. 2100 users and of these users, max. 2010 can have the module access combination webmail_plus.
list it with
$ /opt/open-xchange/sbin/listadmin -A oxadminmaster -P secret Id Name Displayname Restrictions 36 testadmin Test Subadmin Subadmin.MaxOverallUser=2100,Subadmin.MaxOverallUserByModuleaccess_webmail_plus=2010,Subadmin.MaxContext=2000
Manage contexts
When the reseller package has been installed, context listings contain additional information such as the owner of the single contexts.
$ /opt/open-xchange/sbin/listcontext -A oxadminmaster -P secret cid fid fname enabled qmax qused name lmappings CustomID Owner 1 3 1_ctx_store true 500 0 1 oxadminmaster 2 3 2_ctx_store true 500 0 example.com example.com oxadminmaster 3 3 3_ctx_store true 500 0 3 oxadminmaster 4 3 4_ctx_store true 500 0 4 a custom id 1234 testadmin
The subadmin called testadmin can only list it's own context(s):
$ /opt/open-xchange/sbin/listcontext -A testadmin -P secret cid fid fname enabled qmax qused name lmappings CustomID Owner 4 3 4_ctx_store true 500 0 4 a custom id 1234 testadmin
Using the SOAP Interface
To use the soap interface, you need to install open-xchange-admin-plugin-reseller-soap in addition.
Due to the fact, that we cannot use the plugin mechanism we're using in Java to extend the existing objects, the APIs and objects
- OXContext
- OXGroup
- OXResource
- OXUser
- Context
had to be wrapped into new APIs
- OXResellerContext
- OXResellerGroup
- OXResellerResource
- OXResellerUser
- ResellerContext
and the corresponding SOAP URLs
- http://localhost/servlet/axis2/services/OXResellerContextService?wsdl
- http://localhost/servlet/axis2/services/OXResellerUserService?wsdl
- http://localhost/servlet/axis2/services/OXResellerGroupService?wsdl
- http://localhost/servlet/axis2/services/OXResellerResourceService?wsdl
and of course the additional API to manage the subadmin accounts:
That also means that the existing SOAP interfaces for the mentioned classes above cannot be used anymore when installing the reseller package.
ResellerContext just adds some additional members to the existing Context object and the corresponding APIs just oberate on and return this wrapped class.