# Example of Google directory sync configuration.
# Synchronisation configuration
sync:
# A regular expression which is used to match the organization unit path for
# Google users who should be excluded from the list returned by Google. Those
# users do not exist for the purposes of the rest of the sync and so if they
# appear in the list of managed users this script will attempt to re-add them
# and fail in the process. Use this setting for users who are managed
# completely outside of this script.
ignore_google_org_unit_path_regex: '^/Service Accounts$'
# The organization unit path in which new accounts are placed
new_user_org_unit_path: '/'
# Inter-batch delay in seconds. This is useful to avoid hitting Google rate
# limits. Default: 5.
inter_batch_delay: 5
# Batch size for Google API calls. Google supports batching requests together
# into one API call. This can be no greater than 1000 but in practice this
# should be less to avoid hitting other Google rate limits. Default: 50.
batch_size: 50
# Number of times to retry HTTP requests if a 503 "Service Unavailable" received
http_retries: 2
# Delay in seconds between HTTP 503 response retries
http_retry_delay: 5
# Configure limits defining maximum scope of changes.
limits:
# The abort_... settings below are safety limits and will abort the run if the
# limits are violated. They are there to define the "sane limits" for an
# update.
# Refuse to perform sync if we are to "touch" more than this percentage of
# users. The percentage of users "touched" is calculated as
#
# (new google users + modified google users) / max(1, total google users)
#
# where "modified" includes metadata changes and suspension/restoration. As
# such this calculated percentage can be greater than 100. Set to null to
# have no limit. Default: null.
abort_user_change_percentage: 2 # percent
# The max_... settings below will not abort the run if the number of users
# affected is greater than the specified number. Instead the number of users
# affected is capped to that number. The selection of which users are included
# in the capped number is arbitrary.
# Limit the number of new user creations per run. This is an absolute number.
# Set to null to have no limit. Default: null.
max_new_users: 100
# Limit the number of user suspensions per run. This is an absolute number.
# Set to null to have no limit. Default: null.
max_suspended_users: 100
# Limit the number of user un-suspensions (reactivations) per run. This is an
# absolute number. Set to null to have no limit. Default: null.
max_reactivated_users: 100
# Limit the number of user metadata changes per run. This is an absolute
# number. Set to null to have no limit. Default: null
max_updated_users: 100
# Google API configuration
google_api:
# Authentication
auth:
# Path to on-disk JSON credentials used when accessing the API.
credentials: "./credentials.json"
# Path to on-disk JSON credentials used when accessing the API in
# "read-only" mode. Use this if you want to have a separate "safe" service
# account which can only read data. If null, use the same credentials for
# reading and writing. Default: null.
read_only_credentials: null
# Details about the LDAP server
ldap:
# Scheme and hostname of the LDAP server.
host: 'ldaps://ldap.example.com'
# LDAP search base. Filters are always relative to this.
search_base: 'ou=people,o=example-corps,dc=example,dc=com'
# Filter to use to determine the "eligible" list of users. If a non-admin user
# is found on Google who isn't in this list, their account will be suspended.
eligible_user_filter: '(uid=*)'
# Filter to use to determine the "managed" list of users. If a user appears in
# this list who isn't in Google their account is created. If the user metadata
# for a user in this list changes, the change is propagated to Google. If
# null, the value of "eligible_user_filter" is used. Default: null.
managed_user_filter: null
# Details about the Google Domain we're managing.
google_domain:
# Name of the domain.
name: 'example.com'
# Username within the GSuite for the user which has administration rights.
# Should be an e-mail style name. E.g. "super-admin@example.com". The service
# account credentials specified in the google_api.auth section are used to
# perform admin actions as this user.
admin_user: 'super-admin@example.com'