FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects
Normal view Permalink
configuration-example.yaml 4.4 KiB
Newer Older
Dr Rich Wareham's avatar
initial implementation
Dr Rich Wareham committed
1 2 3 4 5 6 7 8 9 10 11 12 
# Example of Google directory sync configuration.

# Synchronisation configuration
sync:
  # A regular expression which is used to match the organization unit path for
  # Google users who should be excluded from the list returned by Google. Those
  # users do not exist for the purposes of the rest of the sync and so if they
  # appear in the list of managed users this script will attempt to re-add them
  # and fail in the process. Use this setting for users who are managed
  # completely outside of this script.
  ignore_google_org_unit_path_regex: '^/Service Accounts$'
Robin Goodall's avatar
set orgUnitPath when creating new users (default to '/')  
Robin Goodall committed
13 14 15 
  # The organization unit path in which new accounts are placed
  new_user_org_unit_path: '/'
Dr Rich Wareham's avatar
allow configuration of API batch size and inter-batch delay  
Dr Rich Wareham committed
16 17 18 19 20 
  # Inter-batch delay in seconds. This is useful to avoid hitting Google rate
  # limits. Default: 5.
  inter_batch_delay: 5

  # Batch size for Google API calls. Google supports batching requests together
Dr Rich Wareham's avatar
configuration-example.yml: add documentation on batch size [CR]  
Dr Rich Wareham committed
21 22 
  # into one API call. This can be no greater than 1000 but in practice this
  # should be less to avoid hitting other Google rate limits. Default: 50.
Dr Rich Wareham's avatar
allow configuration of API batch size and inter-batch delay  
Dr Rich Wareham committed
23 24 
  batch_size: 50
Robin Goodall's avatar
Retry on 503 responses  
Robin Goodall committed
25 26 27 28 29 30 
  # Number of times to retry HTTP requests if a 503 "Service Unavailable" received
  http_retries: 2

  # Delay in seconds between HTTP 503 response retries
  http_retry_delay: 5
Dr Rich Wareham's avatar
initial implementation
Dr Rich Wareham committed
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 
# Configure limits defining maximum scope of changes.
limits:
  # The abort_... settings below are safety limits and will abort the run if the
  # limits are violated. They are there to define the "sane limits" for an
  # update.

  # Refuse to perform sync if we are to "touch" more than this percentage of
  # users. The percentage of users "touched" is calculated as
  #
  #   (new google users + modified google users) / max(1, total google users)
  #
  # where "modified" includes metadata changes and suspension/restoration. As
  # such this calculated percentage can be greater than 100. Set to null to
  # have no limit. Default: null.
  abort_user_change_percentage: 2 # percent

  # The max_... settings below will not abort the run if the number of users
  # affected is greater than the specified number. Instead the number of users
  # affected is capped to that number. The selection of which users are included
  # in the capped number is arbitrary.

  # Limit the number of new user creations per run. This is an absolute number.
  # Set to null to have no limit. Default: null.
  max_new_users: 100

  # Limit the number of user suspensions per run. This is an absolute number.
  # Set to null to have no limit. Default: null.
  max_suspended_users: 100

  # Limit the number of user un-suspensions (reactivations) per run. This is an
  # absolute number. Set to null to have no limit. Default: null.
  max_reactivated_users: 100

  # Limit the number of user metadata changes per run. This is an absolute
  # number. Set to null to have no limit. Default: null
  max_updated_users: 100

# Google API configuration
google_api:
  # Authentication
  auth:
    # Path to on-disk JSON credentials used when accessing the API.
    credentials: "./credentials.json"

    # Path to on-disk JSON credentials used when accessing the API in
    # "read-only" mode. Use this if you want to have a separate "safe" service
    # account which can only read data. If null, use the same credentials for
    # reading and writing. Default: null.
    read_only_credentials: null

# Details about the LDAP server
ldap:
  # Scheme and hostname of the LDAP server.
  host: 'ldaps://ldap.example.com'

  # LDAP search base. Filters are always relative to this.
  search_base: 'ou=people,o=example-corps,dc=example,dc=com'

  # Filter to use to determine the "eligible" list of users. If a non-admin user
  # is found on Google who isn't in this list, their account will be suspended.
  eligible_user_filter: '(uid=*)'

  # Filter to use to determine the "managed" list of users. If a user appears in
  # this list who isn't in Google their account is created. If the user metadata
  # for a user in this list changes, the change is propagated to Google. If
  # null, the value of "eligible_user_filter" is used. Default: null.
  managed_user_filter: null

# Details about the Google Domain we're managing.
google_domain:
  # Name of the domain.
  name: 'example.com'

  # Username within the GSuite for the user which has administration rights.
  # Should be an e-mail style name. E.g. "super-admin@example.com". The service
  # account credentials specified in the google_api.auth section are used to
  # perform admin actions as this user.
  admin_user: 'super-admin@example.com'