Skip to content
/ ldapsync Public

Sync LDAP groups with other parts of OCF infra

License

View license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ocf/ldapsync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
ldapsync
ldapsync
 
 
vendor
vendor
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

ldapsync

This is a work-in-progress project to automate group syncing between various services on OCF infrastructure. LDAP should be a "source of truth" for the certain groups (like ocfstaff) within the OCF, and state of services (such as Google Apps mailing lists, Discourse groups, etc.) should be automatically updated to reflect this state.

Once this project is finished, it will run on a cronjob. It should look at LDAP state and add users to services based on that. As a failsafe, it will never remove users. Instead, if a user needs to be removed from a group, we will send an email that should be manually handled.

Running

Each script that inherits from the abstract base class LDAPSyncApp should be run as a standalone script. Some flags to the script are defined in LDAPSyncApp, while others should be added as needed.

Common Flags

The -n flag enables "dry-run" mode where no changes will actually be made. To run this for real, remove the -n flag.

The --log-file or -l flag logs everything (successful syncs, errors, and exceptions) to the given log file.

The --log-level flag sets the log level; any messages below the given log level will be ignored. Defaults to WARNING.

App-specific Flags

google_groups.py takes in one additional required argument: the path to the Google Cloud service account private key, a JSON file.

Groups

ocfstaff

ocfstaff is volunteer staff, and have limited access to OCF infrastructure. Most staff privileges are granted "automatically," but some access needs to be granted via this script. They should be added to RT and given access to the Google Drive.

opstaff

Opstaff are paid front-desk staff. They should be added to the opstaff mailing list and GDrive.

ocfofficers

Officers should be put on a Google mailing list for "external" OCF communications. They also have access to a Google Drive.

ocfroot

Root staffers have full access to OCF infra. They should be given admin privileges on all services, like Discourse and RT.

Services

Google Admin (mailing list groups)

These forward emails to larger groups. We can modify this list by using the Google Admin API.

RT

There doesn't appear to be an API for RT, but we can modify the staff group and admin groupby modifying the MySQL database directly.

Discourse

Discourse has an API. We only use this to give admin access to root staffers.

About

Sync LDAP groups with other parts of OCF infra

Topics

ldap ocf

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

14 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages