Changes

2,821 bytes added , 06:40, 21 July 2017

Broken link

Line 1: Line 1: −

===~~Chapter 9.~~ Collaboration===

<noinclude>{{Languages}}</noinclude>

===Collaboration===

−

====~~9.1.~~ Users====

====Users====

User accounts should be set up for each person in your organization. A user account includes separate, password-protected email and file storage areas.

Line 15: Line 16:

From the list of user accounts, you can easily modify or remove a user account (by clicking on "modify" or "remove" next to the user name) or set the user's password. User accounts are locked out and cannot be used until you set the initial password for each account . As a reminder of this, user accounts appear in red until the password is changed. (In the example shown here, the administrator has not yet changed the password for user "Sally Salmon").

−

{{~~DrawBoxNote~~|~~content=~~If you want someone to have an email address at your company, but want the messages forwarded to another external email address, you can create the user account but set the email delivery option in the user account to 'Forward to address below' and enter the external address. If you leave the user account locked out, the user will not be able to access services on your server, but the email will be delivered to the external email address.}}

{{Note box|If you want someone to have an email address at your company, but want the messages forwarded to another external email address, you can create the user account but set the email delivery option in the user account to 'Forward to address below' and enter the external address. If you leave the user account locked out, the user will not be able to access services on your server, but the email will be delivered to the external email address.}}

−

=====~~9.1.1.~~ Disabling User Accounts=====

=====Disabling User Accounts=====

There may be times when you do not wish to delete a user account but instead merely want to disable it. For instance, when an employee leaves the company, you may want to immediately remove their access to the server, but still keep their files or email address active until the information can be examined. To disable any user account on your server, just click on the Lock Account link on the User Accounts server-manager panel. As soon as you click the link, the account will be locked out. The user will no longer be able to retrieve email or connect to any files or other resources on the server.

Line 24: Line 25:

To re-enable the user account, you need to reset the password using the link on the User Accounts server-manager panel.

−

=====~~9.1.2.~~ Changing User Passwords=====

=====Changing User Passwords=====

−

Once they have an active account, your users can set their own passwords by accessing the user-password URL which is only accessible from Local Networks. They do this through their web browsers by visiting the URL www.yourdomain.xxx~~:User_Manual~~-password (where "www.yourdomain.xxx" is the web server name you entered into the server console). The staff at The Pagan Vegan would visit the URL www.~~tofu-dog~~.~~com:User_Manual~~-password .

Once they have an active account, your users can set their own passwords by accessing the user-password URL which is only accessible from Local Networks. They do this through their web browsers by visiting the URL www.yourdomain.xxx/user-password (where "www.yourdomain.xxx" is the web server name you entered into the server console). The staff at The Pagan Vegan would visit the URL www.yourdomain.xxx/user-password .

To make the change, a user would enter his or her account name (the characters before "@"), the old password and the new password (to ensure accuracy, the screen asks for the new password twice). Note that changing the password for a user in the server-manager overrides any previous password entered by your user. Therefore, when a user forgets his password, simply reset it in the server- manager.

−

~~{{DrawBoxnote|content=There is no way for the administrator to recover a forgotten password for a user. All they can do is set a new password for the user.}}~~

−

{{~~DrawBoxNote~~|~~content=~~'''Password strength checking is too strong. How do I change it?'''

{{Note box|There is no way for the administrator to recover a forgotten password for a user. All they can do is set a new password for the user.}}

{{Note box|'''Password strength checking is too strong. How do I change it?'''

First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.

−

~~ ~~

−

config setprop passwordstrength Users normal ~~ ~~

config setprop passwordstrength Users normal

−

config setprop passwordstrength Ibays normal ~~ ~~

config setprop passwordstrength Ibays normal

−

~~ ~~

It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'

}}

The following settings are available to specify the password strength on SME Server:

! setting explanation

| ''strong''

| The password is passed through Cracklib for dictionary type word checking as well as requiring upper case, lower case, number, non alpha and a mimimum length of 7 characters.

| ''normal''

| The password requires upper case, lower case, number, non alpha and a minimum length of 7 characters.

| ''none''

| The password can be anything as no checking is done.

Please note that "none" does not mean no password, it just means no password strength checking, so you can enter any (weak) password you want as long as it is at least 7 characters long.

−

====~~9.2.~~ Groups====

====Groups====

This screen allows you to create, remove or change user groups, which are simply lists of people with a shared interest - for example, they work in the same department or are collaborating on a project. The user group function serves two purposes in the SME Server: it permits email to be sent conveniently to a group of users, and it allows the system administrator to associate groups of users with a single information bay (i-bay).

Line 48: Line 68:

Creating a new group is a simple three-step process. You enter the group name (as with account names, these should begin with a lower-case letter and consist only of lower-case letters and numbers), followed by a brief description. Finally, check the boxes next to the names of the users who should be associated with that group.

−

{{~~DrawBoxWarning~~|~~content=~~When you create a group, you are required to assign at least one user to that group. If you fail to do so, the group will not be created and you will receive an error message.}}

{{Warning box|When you create a group, you are required to assign at least one user to that group. If you fail to do so, the group will not be created and you will receive an error message.}}

[[bugzilla:6934]]

After you add (or remove) a user account from a group, the user must log out and log back in for those changes to take effect. Until the user does so, he or she will still have their old group membership information. For instance, suppose you create a new group "sales" and assign user "ffrog" (Fred Frog) to that group. You then create a new i-bay called "salesinfo" that only the "sales" group can access, until Fred logs out and then logs back in he will not have access to the new "sales" group and its ibay "salesinfo".

{{Note box|A windows user who is still logged into a Windows PC and tries to connect to the new i-bay through Windows Explorer. They will receive a permission-denied error. They must log out of Windows (they do not need to shut down or reboot, just log out) and login again. Now they should be able to go through Windows Explorer and access the "salesinfo" i-bay without any problem.}}

−

~~After~~ you ~~add (or remove) a user account from~~ a ~~group, the user must log out~~ and ~~log back in for those changes to take effect. Until~~ the ~~user does so, he or she will still~~ have ~~their old group membership information. For instance, suppose you create a new group "sales" and assign user "ffrog" (Fred Frog) to that group. You~~ then ~~create a new i-bay called "salesinfo" that only the "sales" group can access. Fred Frog is still logged into a Windows PC and now tries~~ to ~~connect~~ to the ~~new i-bay through Windows Explorer. He will receive~~ a permission-denied error. He must log out of Windows (he does not need to shut down or reboot, just log out) and login again. Now he should be able to go through Windows Explorer and access the "salesinfo" i-bay without any problem.

====Setting Windows Admin Rights====

If you are using SME Server as a domain controller and the windows workstations have joined the domain then by adding users to special groups you are able to change the rights a users has on that workstation.

−

====9.3. Quotas====

The domain always has three groups created, assigned as follows:

{| border="1" cellpadding="10" cellspacing="0"

!Group Description

!Domain Rights

|Domain Admins

|admin

|Domain Users

|shared (everyone)

|Domain Guests

|nobody

If you create a group and name it whatever you want but put one of the above for the description then the newly created group will replace the above mapping. So if you create a group called "admins" and give it a description of "Domain Admins" then anyone you assign to this group will be a domain admin and also a local admin on ANY box that has joined the domain.

You can also create a less privileged group "Power Users"

see https://ss64.com/nt/syntax-security_groups.html and https://www.howtogeek.com/school/windows-network-sharing/lesson1/all/ for the rights granted to the different groups.

====Quotas====

By default, there is no size limit on the files a user may store on the server nor the amount of email that can be received. However, if you wish to limit the disk space a particular user account can use, you may do so on the " Quotas " panel in the server-manager. As shown in the image below, you will see a list of user accounts, the actual disk space they are using and the quotas, if any, set for that user account.

[[Image:Quotas.png]]

−

{{~~DrawBoxWarning~~|~~content=~~Note that the quotas apply to all files that a user stores on the server. This includes not just their home directory, but also all files that they may put into any of the i-bays.}}

{{Warning box|Note that the quotas apply to all files that a user stores on the server. This includes not just their home directory, but also all files that they may put into any of the i-bays.}}

There are two quotas that can be applied to each user account:

Line 64: Line 111:

Note that if the user account exceeds the "Limit with grace period" for seven consecutive days, the account will be treated as if it exceeded the absolute limit and will no longer be able to save files or receive email.

−

{{~~DrawBoxWarning~~|~~content=~~Email for the user account is not lost! It is held in the delivery queue and will be delivered to the user when their disk usage drops back below their absolute limit (or the "limit with grace period" if they were locked out due to seven days above that limit).}}

{{Warning box|Email for the user account is not lost! It is held in the delivery queue and will be delivered to the user when their disk usage drops back below their absolute limit (or the "limit with grace period" if they were locked out due to seven days above that limit).}}

{{note box|msg=In certains cases you have some mailboxes which can't delivery messages and the qmail log say:

deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/

It is probably that your users want to go beyond the upper limit of their quota, [[SME_Server:Documentation:Administration_Manual:Chapter9#Quotas|so you have to increase it]]. This could solve their problems. see [[bugzilla:7738]]}}

By selecting " Modify " you are able to set a quota (in Megabytes) for a particular user account. Note that you do not have to set both limits for a user account and can choose to set only one of the limits.

Line 70: Line 122:

If you set a limit and later wish to disable the quota for a given user account, all you need to do is set the limit to "0".

−

====~~9.4.~~ Pseudonyms====

====Pseudonyms====

Any user who has an account on your SME Server will be able to receive email sent to that user ID. For instance, if you have a user named Fred Frog with the user account "ffrog", his primary email address will be "ffrog@mycompany.xxx".

Line 81: Line 133:

If you wish to modify or remove any of these pseudonyms, or create new ones, you can use the web panel found under the "Collaboration" section of the server-manager, as shown below.

−

{{~~DrawBoxNote~~|~~content=~~The special pseudonyms of "everyone", "postmaster" and "mailer-daemon" will only be visible after you have either added a user account to the system or have added a custom pseudonym. Until that time, these three pseudonyms are there, but will not be visible on the Pseudonyms web panel.}}

{{Note box|The special pseudonyms of "everyone", "postmaster" and "mailer-daemon" will only be visible after you have either added a user account to the system or have added a custom pseudonym. Until that time, these three pseudonyms are there, but will not be visible on the Pseudonyms web panel.}}

[[Image:Pseudonyms.png]]

Line 89: Line 141:

[[Image:Create-a-pseudonym.png]]

=====Practical usage guidelines=====

−

~~'''Practical usage guidelines'''~~

An SME Server has only one name set, meaning only one occurrence of a name can be in the system, whether it be a user, a group, a pseudonym or an ibay. Therefore whenever you create a user account and you have multiple domains, then that user will apply to all domains automatically.

−

~~An SME Server has only one name set, meaning only one occurrence of a name can be in the system, whether it be a user, a group, a pseudonym or an ibay.~~

So the user account "sales" will receive email for:

−

*sales@domain1

−

~~Therefore whenever you create a user account and you have multiple domains, then that user will apply to all domains automatically.~~

*sales@domain2

−

*sales@domain3

−

So the user account "sales" will receive email for

*sales@domain4

−

sales@domain1

−

sales@domain2

−

sales@domain3

−

sales@domain4

The problem with this is that you cannot have different people using the same user account name to collect email.

Line 108: Line 157:

The golden rule is never allocate unique user names to end users accounts as these will no longer be available for globalname@domain type email address usage.

−

eg create your domains eg domain1, domain2, domain3, domain4 and configure those domains to use different ibays for the web content.

*create your domains eg domain1, domain2, domain3, domain4 and configure those domains to use different ibays for the web content. You can even setup different groups to allow only different users to access each ibay to update web content etc.

−

You can even setup different groups to allow only different users to access each ibay to update web content etc.

−

create user accounts user1, user2, user3, user4 as needed for users who want to use the email address "sales", but keep in mind they will use the login name user1 rather than sales (the login names could be johnb, johnb2, johnw, johnm etc)

−

~~create user accounts user5, user6, user7, user8 as needed for users who want to use the email address "info", but keep in mind they will use the login name user5 etc rather than info~~

−

create user accounts ~~user9~~, ~~user10~~, ~~user11~~, ~~user12~~ as needed for users who want to use the email address "~~accounts~~", but keep in mind they will use the login name ~~user9 etc~~ rather than ~~accounts~~

*create user accounts user1, user2, user3, user4 as needed for users who want to use the email address "sales", but keep in mind they will use the login name user1 rather than sales (the login names could be johnb, johnb2, johnw, johnm etc)

−

create ~~pseudonyms eg~~

*create user accounts user5, user6, user7, user8 as needed for users who want to use the email address "info", but keep in mind they will use the login name user5 etc rather than info

−

~~sales@domain1 which forwards~~ to ~~user1~~

−

~~sales@domain2 which forwards to user2~~

−

~~sales@domain3 which forwards to user3~~

−

~~sales@domain4 which forwards to user4~~

−

~~info@domain1 which forwards~~ to ~~user5~~

*create user accounts user9, user10, user11, user12 as needed for users who want to use the email address "accounts", but keep in mind they will use the login name user9 etc rather than accounts

−

~~info@domain2 which forwards to user6~~

−

~~info@domain3 which forwards to user7~~

−

~~info@domain4 which forwards to user8~~

−

accounts@domain1 which forwards to user9

*create pseudonyms eg

−

accounts@domain2 which forwards to user10

**sales@domain1 which forwards to user1

−

accounts@domain3 which forwards to user11

**sales@domain2 which forwards to user2

−

accounts@domain4 which forwards to user12

**sales@domain3 which forwards to user3

**sales@domain4 which forwards to user4

**info@domain1 which forwards to user5

**info@domain2 which forwards to user6

**info@domain3 which forwards to user7

**info@domain4 which forwards to user8

**accounts@domain1 which forwards to user9

**accounts@domain2 which forwards to user10

**accounts@domain3 which forwards to user11

**accounts@domain4 which forwards to user12

ie. in the pseudonyms field type the whole pseudonym name as sales@domain1

Line 144: Line 190:

If you want webmail to be configured for the correct domain for the correct end user the first time they use it, then you will need to do that manually yourself before issuing the login details to the user, eg

−

login to webmail as the end user eg user1 (for domain1) and setup the profile for that user to show the return email address of sales@domain1

login to webmail as the end user eg user1 (for domain1) and setup the profile for that user to show the return email address of sales@domain1 login to webmail as the end user eg user2 (for domain2) and setup the profile for that user to show the return email address of sales@domain2

−

login to webmail as the end user eg user2 (for domain2) and setup the profile for that user to show the return email address of sales@domain2

Do the same for all other webmail accounts that will be issued configuring the profile and return address as applicable.

If you don't configure webmail profiles manually then they will have the default return address of loginusername@domain1 (or the main domain name of the server if different).

−

'''Summary'''

Line 193: Line 236:

See this thread for details

−

http://forums.contribs.org/index.php?topic=30953.0

Removing the default SME server behaviour to '''auto create pseudonyms'''. In this scenario (multiple domains) you may not require or desire the need of the default behaviour of auto creation of pseudonyms.

To achieve this comment with an # at beginning the line 793 into

/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/useraccounts.pm

{{Note box|Please not that the path to esmith perl libraries has changed as of SME Server 9.x to '''/usr/share/perl5/vendor_perl/esmith'''.}}

the line should be like

# $accountdb->create_user_auto_pseudonyms($acctName);

−

====~~9.5.~~ Information Bays====

====Information Bays====

−

The i-bay (information bay) feature of the SME Server is a simple, very flexible and powerful way for you to share information with others. It is such a rich and important feature that we've devoted [[http://~~smeserver~~.~~sourceforge~~.~~netSME_Server~~:Documentation:Administration_Manual:Chapter14~~?v=xyo|~~Chapter 14]] entirely to dealing with Information Bays.

The i-bay (information bay) feature of the SME Server is a simple, very flexible and powerful way for you to share information with others. It is such a rich and important feature that we've devoted [http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter14 Chapter 14] entirely to dealing with Information Bays.

Trex

Administrators

1,574

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/390...33759"

Changes

SME Server:Documentation:Administration Manual:Chapter9 (view source)

Revision as of 06:40, 21 July 2017

Navigation menu

Search