This service implement an LDAP server using user and group information from Google Workspace Admin API.
The server is intended to be used as a group mapping info provider for Palo Alto Networks firewalls.
- Set
GOOGLE_APPLICATION_CREDENTIALS=/path/to/serviceaccount.json(see next section) - Run Docker with
--impersonate domain-admin@example.com --base-dn example.com
If using service account for authentication, make sure it is configured for Domain-wide delegation.
Scopes needed
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
See docs
- This dump the entire Google directory (users/groups) into memory, so it would take long time to start
memberOfon user is not implemented- Binds is not implemented. Any bind on the base DN would return success
- SASL is not implemented in the upstream library. Don't send SASL request to this server!
- This is NOT a drop in replacement for Secure LDAP service