The OX Connector centrally manages users, groups, OX contexts, OX
access profiles and functional accounts with the web based management system in
UCS. This section shows how.
To follow the tasks, you need to sign-in to Univention Management Console (UMC)
with a user account with domain administration rights. For more information, see
Delegated administration for UMC modules in UCS 5.2 Manual [2].
OX App Suite uses contexts to collect users, groups, and resources for
collaboration in a virtual space. Data from one context isn’t visible to other
contexts. For more information about contexts, see
App Suite Context management [5].
To view, add, update, or delete a context, you navigate to
Domain ‣ OX Contexts in UMC.
Note
If you don’t want the OX Connector to manage contexts, you can manually
manage them in OX App Suite, as long as you maintain the context
configuration for the OX Connector in the
/var/lib/univention-appcenter/apps/ox-connector/data/secrets/contexts.json.
This approach doesn’t require to share the credentials for the OX context
administrator.
The OX Connector app adds a group to the same context as the group
members. When the last group member leaves the group, the connector removes the
group from OX App Suite.
To enable a group for OX App suite, run the following steps:
Navigate to Users ‣ Groups in UMC and click to open.
..tab-set:
.. tab-item:: Add group
To create a group:
2. Click :guilabel:`Add` to create a group.
#. On the *General* tab, fill out the required fields and add users as group
members.
#. Go to the *OX App Suite* tab and activate the *Activate Group in OX*.
#. Click :guilabel:`Create group`.
.. tab-item:: Update group
To update a group:
2. Click a group to edit.
#. The UDM module *Groups* automatically enables *Activate Group in OX*, when
you edit a group. UMC displays a notification.
If you don't want to enable the group, clear the checkbox *Activate Group
in OX* on the *OX App Suite* tab.
#. Click :guilabel:`Save`.
.. warning::
When you as administrator update a group, that already is a group in OX App
Suite, and you clear the checkbox *Activate Group in OX* on the *OX App
Suite* tab, the connector removes this group from OX App Suite.
To update a group from the command-line, run the following command:
.. code-block:: console
$ udm groups/group modify --dn $dn_of_group --set isOxGroup=OK
.. tab-item:: Remove group
To remove a group from OX App Suite:
2. Click a group to edit.
#. Go to the *OX App Suite* tab and clear the checkbox *Activate Group
in OX*.
#. Click :guilabel:`Save`.
To remove the group from OX App Suite through command-line, run the following
command:
.. code-block:: console
$ udm groups/group modify --dn $dn_of_group --set isOxGroup=Not
The OX Connector already provides ready-to-use access profiles for OX App Suite
users. Administrators can create custom access profiles in UMC in the LDAP
directory module at Domain ‣ LDAP directory at the directory
location open-xchange/accessprofiles/.
OX App Suite shares functional mailboxes among other users in the same context.
With the UDM module oxmail/functional_account administrators can add,
update or delete objects for functional accounts. OX App Suite users with the
same functional account share the read status. Emails to addresses of functional
accounts show up in the OX Mail view for every user where administrators granted
the permission.
Warning
Open-Xchange marked this feature as deprecated in favor of Shared accounts.
2.5.1. Default LDAP position for functional accounts#
Added in version 2.2.12.
When you create a new oxmail/functional_account object in UMC the
default position for these new objects in the directory tree is
cn=functional_accounts,cn=open-xchange,$LDAP_BASE.
However, you can add additional default containers for the
oxmail/functional_account so that UMC will ask for a position before
creating the new object.
In the UMC module LDAP directory open the container univention
in the tree view (left) and then open the object defaultcontainers in
the object list (right). Click on OXAppsuite and add additional default
containers to the list of DefaultcontainerforOXfunctionalaccounts.
The values are LDAP DNs of existing container objects in your LDAP directory,
which must include the LDAP base DN.
OX App Suite uses OX Resources to manage resources like rooms or equipment
that users can book for appointments. For more information about resource
management, see App Suite Resource management [6].
To view, add, update, or delete a resource, you navigate to
Domain ‣ OX Resources in UMC.
OX App Suite lets users and groups access shared accounts.
Users with a shared account can read its email and calendar entries.
As an administrator, you can configure fine-grained permissions for users and groups.
The OX Connector app provides UDM modules
to manage shared accounts and the permissions of users and groups.
Important
The Shared accounts feature requires OX App Suite version 8.49 or later.
A runtime check deactivates the feature
when OX App Suite doesn’t support shared accounts.
As an administrator, you can use the UDM module oxmail/shared_account
to add, update, or delete objects for shared accounts
and manage their permissions.
You can find the UDM module in the Management UI under LDAP directory
at the directory location open-xchange/shared_account.
Every oxmail/shared_account object contains a list of users and groups with their respective permissions.
Each user and group entry in the list links to an oxmail/shared_account_permissions object.
OX App Suite uses permission objects to control user and group access to shared accounts.
OX Connector provides ready-to-use permissions for OX App Suite shared accounts,
including Full Calendar Access, Full Mail Access, Full Mail and Calendar Access, and Read-Only Mail Access.
You can also create permissions to meet your requirements.
As an administrator, you can use the UDM module oxmail/shared_account_permissions
to create, update, or delete permissions for shared accounts.
You can find the UDM module in the Management UI under LDAP directory
at the directory location open-xchange/shared_account_permissions.
When you create an oxmail/shared_account object,
you can grant permissions to users and groups in UMC.
2.7.3. Migration from functional accounts to shared accounts#
Added in version 3.2.1.
The shared accounts feature in OX App Suite
deprecates the old functional accounts.
OX Connector provides a script
that lets you migrate from functional accounts
to shared accounts.
Before you run the script,
Dovecot must use the email address
as the unique identifier for the mail accounts.
Danger
If your Dovecot installation uses a unique identifier
other than the email address,
don’t run the migration script.
In that case, the script deletes your functional accounts
and creates shared accounts without their content.
Test the migration script
and carefully review the results
before you use it in production.
The dry-run option runs the migration script without actually writing changes to OX App Suite,
and prints statements from the steps during the migration.
For information about the migration script parameters,
use the --help option.
It provides options about addressing multiple functional accounts with one run,
or providing credentials through environment variables.
Depending on your deployment of the OX Connector,
choose one of the following options to run the migration.
Run the migration script on Nubus for UCS on the system
that has the OX Connector installed.
Use the commands in
Listing 2.1
and Listing 2.2.
In the listing you need to provide the values for the following inputs:
UDM_USERNAME
The username for the UDM user.
The user account must be a member of the Authorization groups
in the UDM HTTP REST API.
UDM_PASSWORD
The password for the UDM_USERNAME.
REST_API_HOSTNAME
The FQDN of the UDM HTTP REST API in your domain.
OPTIONAL_DESTINATION
The container for the shared account that the migration script creates.
DESTINATION_OX_CONTEXT
The OX Context where the shared account will be created.
Listing 2.2 Run the migration from functional accounts to shared accounts#
$ univention-appshell\ox-connector\/usr/local/share/ox-connector/resources/migrate_fupo_to_shared_account.py\"cn=example_fupo,cn=functional_accounts,cn=open-xchange,$(ucrgetldap/base)"\"Full Mail Access"\"$OPTIONAL_DESTINATION"\"$UDM_USERNAME"\"$UDM_PASSWORD"\"https://$REST_API_HOSTNAME/univention/udm"\--ox-context$DESTINATION_OX_CONTEXT
To run the migration script in your Nubus for Kubernetes environment,
use the following steps.
To configure the namespaces for your Nubus for Kubernetes environment
and the OX Consumer deployment,
set the environment variables as shown in Listing 2.3.
NAMESPACE_N4K
The Kubernetes namespace for your Nubus for Kubernetes deployment.
RELEASE_N4K
The release name for your Nubus for Kubernetes deployment.
To list the release names in your namespace,
run the command in Listing 2.4.
NAMESPACE_CONNECTOR
The Kubernetes namespace of your OX Connector deployment.
Typically, it’s the same namespace as for Nubus for Kubernetes.
Listing 2.3 Set environment variables for Nubus for Kubernetes and the OX Connector.#
Listing 2.4 Show the release names in the namespace of Nubus for Kubernetes#
$ helm--namespace"$NAMESPACE_N4K"list-q
Retrieve the LDAP base DN from your Nubus for Kubernetes environment.
You need the LDAP base DN of your Nubus for Kubernetes deployment.
You provided the LDAP base DN during the deployment of Nubus for Kubernetes
in your custom_values.yaml.
To retrieve the LDAP base DN,
run the command in Listing 2.5.
LDAP_BASE
The LDAP base DN of your directory service.
Listing 2.5 Retrieve parameters from Nubus for Kubernetes environment#
