Newer
Older
# Example of Google directory sync configuration.
# Synchronisation configuration
sync:
# A regular expression which is used to match the organization unit path for
# Google users who should be excluded from the list returned by Google. Those
# users do not exist for the purposes of the rest of the sync and so if they
# appear in the list of managed users this script will attempt to re-add them
# and fail in the process. Use this setting for users who are managed
# completely outside of this script.
ignore_google_org_unit_path_regex: '^/Service Accounts$'
# The organization unit path in which new accounts are placed
new_user_org_unit_path: '/'
# Suffix appended to the names of groups created in Google. The Google group
# name will be "{groupName}{group_name_suffix}", where {groupName} is the
# Lookup group name.
group_name_suffix: ' from lookup.cam.ac.uk'
# Settings to be applied to groups in Google. These settings are applied to both
# new and existing groups imported from Lookup.
# See https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups#json
group_settings:
whoCanJoin: INVITED_CAN_JOIN
whoCanViewMembership: ALL_IN_DOMAIN_CAN_VIEW
whoCanViewGroup: ALL_MEMBERS_CAN_VIEW
whoCanPostMessage: ALL_IN_DOMAIN_CAN_POST
allowWebPosting: 'false'
messageModerationLevel: MODERATE_ALL_MESSAGES
includeInGlobalAddressList: 'true'
whoCanLeaveGroup: NONE_CAN_LEAVE
whoCanContactOwner: ALL_MANAGERS_CAN_CONTACT
whoCanModerateMembers: OWNERS_ONLY
whoCanDiscoverGroup: ALL_IN_DOMAIN_CAN_DISCOVER
# Inter-batch delay in seconds. This is useful to avoid hitting Google rate
# limits. Default: 5.
inter_batch_delay: 5
# Batch size for Google API calls. Google supports batching requests together
# into one API call. This can be no greater than 1000 but in practice this
# should be less to avoid hitting other Google rate limits. Default: 50.
batch_size: 50
# Number of times to retry HTTP requests if a 503 "Service Unavailable" received
http_retries: 2
# Delay in seconds between HTTP 503 response retries
http_retry_delay: 5
# Configure limits defining maximum scope of changes.
limits:
# The abort_... settings below are safety limits and will abort the run if the
# limits are violated. They are there to define the "sane limits" for an
# update.
# Refuse to perform sync if we are to "touch" more than this percentage of
# users. The percentage of users "touched" is calculated as
#
# (new google users + modified google users) / max(1, total google users)
#
# where "modified" includes metadata changes and suspension/restoration. As
# such this calculated percentage can be greater than 100. Set to null to
# have no limit. Default: null.
abort_user_change_percentage: 2 # percent
# Refuse to perform sync if we are to "touch" more than this percentage of
# groups. The percentage of groups "touched" is calculated as
#
# (new google groups + modified google groups) / max(1, total google groups)
#
# where "modified" includes metadata changes and deletion. As such this
# calculated percentage can be greater than 100. Set to null to have no limit.
# Default: null.
abort_group_change_percentage: 2 # percent
# Refuse to perform sync if we are to "touch" more than this percentage of
# overall group memberships. The percentage of group memberships "touched" is
# calculated as
#
# (new memberships + deleted memberships) / max(1, total google group memberships)
#
# As such this calculated percentage can be greater than 100. Set to null to
# have no limit. Default: null.
abort_member_change_percentage: 2 # percent
# The max_... settings below will not abort the run if the number of items
# affected is greater than the specified number. Instead the number of items
# affected is capped to that number. The selection of which items are included
# in the capped number is arbitrary.
# Limit the number of new user creations per run. This is an absolute number.
# Set to null to have no limit. Default: null.
max_new_users: 100
# Limit the number of new group creations per run. This is an absolute number.
# Set to null to have no limit. Default: null.
max_new_groups: 100
# Limit the number of user suspensions per run. This is an absolute number.
# Set to null to have no limit. Default: null.
max_suspended_users: 100
# Limit the number of group deletions per run. This is an absolute number.
# Set to null to have no limit. Default: null.
max_deleted_groups: 100
# Limit the number of user un-suspensions (reactivations) per run. This is an
# absolute number. Set to null to have no limit. Default: null.
max_reactivated_users: 100
# Limit the number of user metadata changes per run. This is an absolute
# number. Set to null to have no limit. Default: null
max_updated_users: 100
# Limit the number of group metadata changes per run. This is an absolute
# number. Set to null to have no limit. Default: null
max_updated_groups: 100
# Limit the total number of group members to insert per run. This is an
# absolute number. Set to null to have no limit. Default: null
max_inserted_members: 100
# Limit the total number of group members to delete per run. This is an
# absolute number. Set to null to have no limit. Default: null
max_deleted_members: 100
# Google API configuration
google_api:
# Authentication
auth:
# Path to on-disk JSON credentials used when accessing the API.
credentials: "./credentials.json"
# Path to on-disk JSON credentials used when accessing the API in
# "read-only" mode. Use this if you want to have a separate "safe" service
# account which can only read data. If null, use the same credentials for
# reading and writing. Default: null.
read_only_credentials: null
# Details about the LDAP server
ldap:
# Scheme and hostname of the LDAP server.
host: 'ldaps://ldap.example.com'
# LDAP search base for users. Person filters are always relative to this.
user_search_base: 'ou=people,o=example-corps,dc=example,dc=com'
# LDAP search base for groups. Group filters are always relative to this.
group_search_base: 'ou=groups,o=example-corps,dc=example,dc=com'
# LDAP search base for institutions. Institution filters are always relative to this.
inst_search_base: 'ou=insts,o=example-corps,dc=example,dc=com'
# Filter to use to determine the "eligible" list of users. If a non-admin user
# is found on Google who isn't in this list, their account will be suspended.
eligible_user_filter: '(uid=*)'
# Filter to use to determine the "eligible" list of groups. If a group is
# found on Google that isn't in this list, it will be deleted.
eligible_group_filter: '(groupID=*)'
# Filter to use to determine the "eligible" list of institutions. If an
# institution is found on Google that isn't in this list, it will be deleted.
eligible_inst_filter: '(instID=*)'
# Filter to use to determine the "managed" list of users. If a user appears in
# this list who isn't in Google their account is created. If the user metadata
# for a user in this list changes, the change is propagated to Google. If
# null, the value of "eligible_user_filter" is used. Default: null.
managed_user_filter: null
# Filter to use to determine the "managed" list of groups. If a group appears
# in this list that isn't in Google it is created. If the group metadata or
# list of members for a group in this list changes, the change is propagated
# to Google. If null, the value of "eligible_group_filter" is used.
# Default: null.
managed_group_filter: null
# Filter to use to determine the "managed" list of institutions. If an
# institution appears in this list that isn't in Google it is created. If the
# institution metadata or list of members for an institution in this list
# changes, the change is propagated to Google. If null, the value of
# "eligible_inst_filter" is used. Default: null.
managed_inst_filter: null
# Details about the Google Domain we're managing.
google_domain:
# Name of the domain.
name: 'example.com'
# If using a service account with Domain-Wide Delegation, set to the username
# within the GSuite for the user which has administration rights.
# Should be an e-mail style name. E.g. "super-admin@example.com". The service
# account credentials specified in the google_api.auth section are used to
# perform admin actions as this user.
# If not using Domain-Wide Delegation (i.e. the service account executing this
# script has been made a member of an Admin Role), use null or comment out.
# Secondary domain or domain alias for groups. If null, the value of "name"
# is used. Default: null
groups_domain: null
# Secondary domain or domain alias for institutions. If null, the value of
# "name" is used. Default: null
insts_domain: null