dangtrinhnt/google_groups_ad_sync.py

## google_groups_ad_sync.py
#! /usr/bin/env python

import shlex, subprocess
import sys
# ad_utils.py: http://www.dangtrinh.com/2016/07/get-all-ms-active-directory-group.html
import ad_utils


GADMIN_ACCOUNT = '<your google apps administrator email>'
GAM_PATH = '/path/to/your/gam.py'
GOOGLE_GROUPS = {
    '<group name>': 'group email',
...
}


def get_group_members(group_email, gam_path=GAM_PATH):

    cmd = 'python %s print group-members group %s' % (gam_path, group_email)
    if sys.platform == 'win32':
        cmd = 'gam print group-members group %s' % (group_email)

    args = shlex.split(cmd)
    proc = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = proc.communicate()

    members = []
    if proc.returncode == 0:
        if out:
            out = out.split('\n')
            for i in range(1, len(out)):
                row = out[i].split(',')
                if len(row) >= 3:
                    if row[2].lower() != GADMIN_ACCOUNT: # exclude gadmin account
                        members.append(row[2].lower())
    return members


def del_group_member(group_email, member_email, gam_path=GAM_PATH):

    cmd = 'python %s update group %s remove user %s' % (gam_path, group_email, member_email)
    if sys.platform == 'win32':
        cmd = 'gam update group %s remove user %s' % (group_email, member_email)

    args = shlex.split(cmd)
    proc = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = proc.communicate()

    return proc.returncode, out, err


def sync_ad_gapps_group_members(group_name, group_email, ad_conn, dry_run=False):
    ad_members = ad_utils.get_group_members(group_name, ad_conn)
    if ad_members:
        googlegroup_members = get_group_members(group_email)
        for guser in googlegroup_members:
            if guser not in ad_members:
                print "=== %s not active in AD" % guser
                if dry_run:
                    pass
                else:
                    del_group_member(group_email, guser)


def sync_ad_gapps_groups(dry_run=False):
    ad_conn, ad_result = ad_utils.ad_auth()
    if ad_result:
        for gname, gemail in GOOGLE_GROUPS.iteritems():
            print "\n+++ Syncing group %s" % gname
            sync_ad_gapps_group_members(gname, gemail, ad_conn, dry_run)
    else:
        print "Fail!"


if __name__ == "__main__":
    dry_run = False
    if len(sys.argv) > 1:
        dry_run = bool(sys.argv[1])

    if dry_run:
        print "=== Running Google Apps Groups sync in dry-run mode"

    print "==== Dry running: %s" % dry_run

    sync_ad_gapps_groups(dry_run)
	#! /usr/bin/env python

	import shlex, subprocess
	import sys
	# ad_utils.py: http://www.dangtrinh.com/2016/07/get-all-ms-active-directory-group.html
	import ad_utils


	GADMIN_ACCOUNT = '<your google apps administrator email>'
	GAM_PATH = '/path/to/your/gam.py'
	GOOGLE_GROUPS = {
	'<group name>': 'group email',
	...
	}


	def get_group_members(group_email, gam_path=GAM_PATH):

	cmd = 'python %s print group-members group %s' % (gam_path, group_email)
	if sys.platform == 'win32':
	cmd = 'gam print group-members group %s' % (group_email)

	args = shlex.split(cmd)
	proc = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
	out, err = proc.communicate()

	members = []
	if proc.returncode == 0:
	if out:
	out = out.split('\n')
	for i in range(1, len(out)):
	row = out[i].split(',')
	if len(row) >= 3:
	if row[2].lower() != GADMIN_ACCOUNT: # exclude gadmin account
	members.append(row[2].lower())
	return members


	def del_group_member(group_email, member_email, gam_path=GAM_PATH):

	cmd = 'python %s update group %s remove user %s' % (gam_path, group_email, member_email)
	if sys.platform == 'win32':
	cmd = 'gam update group %s remove user %s' % (group_email, member_email)

	args = shlex.split(cmd)
	proc = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
	out, err = proc.communicate()

	return proc.returncode, out, err


	def sync_ad_gapps_group_members(group_name, group_email, ad_conn, dry_run=False):
	ad_members = ad_utils.get_group_members(group_name, ad_conn)
	if ad_members:
	googlegroup_members = get_group_members(group_email)
	for guser in googlegroup_members:
	if guser not in ad_members:
	print "=== %s not active in AD" % guser
	if dry_run:
	pass
	else:
	del_group_member(group_email, guser)


	def sync_ad_gapps_groups(dry_run=False):
	ad_conn, ad_result = ad_utils.ad_auth()
	if ad_result:
	for gname, gemail in GOOGLE_GROUPS.iteritems():
	print "\n+++ Syncing group %s" % gname
	sync_ad_gapps_group_members(gname, gemail, ad_conn, dry_run)
	else:
	print "Fail!"


	if __name__ == "__main__":
	dry_run = False
	if len(sys.argv) > 1:
	dry_run = bool(sys.argv[1])

	if dry_run:
	print "=== Running Google Apps Groups sync in dry-run mode"

	print "==== Dry running: %s" % dry_run

	sync_ad_gapps_groups(dry_run)