Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


deputize is a handy tool to update an LDAP group with on-call information from a PagerDuty schedule.

To learn more about why wrote Deputize, see our blog.


To install, use go get: go get -d


Deputize requires an LDAP server that supports StartTLS over port 389. This LDAP server should have a user that can modify the memberUid attribute of a group.

Deputize also requires Vault to store secrets. As of Version 2.0 this uses Vault's KV version 2 API.


Deputize is configured using a config.json file located in the same directory as the command (or you can specify a direct path to it using DEPUTIZE_CONFIG). That config file should contain:

  "BaseDN": "",
  "GrayLogEnabled": "",
  "GrayLogAddress": "",
  "LDAPServer": "",
  "LDAPPort": 0,
  "MailAttribute": "",
  "MemberAttribute": "",
  "ModUserDN": "",
  "OnCallGroup": "",
  "OnCallGroupDN": "",
  "OnCallSchedules": [""],
  "RootCAFile": "",
  "RunDuration": "",
  "SlackChan": "",
  "SlackEnabled": true,
  "TokenPath": "",
  "UserAttribute": "",
  "VaultSecretPath": "",
  "VaultServer": "",
  "Quiet": true
Variable Type Purpose Possible Value
BaseDN String Base DN for your LDAP server dc=spiffy,dc=io
GrayLogEnabled String Enable logging to a GrayLog Server true
GrayLogAddress String Graylog Server Address (uses UDP)
LDAPServer String Hostname of your LDAP server
LDAPPort Int Port to talk to LDAP on 389
MailAttribute String LDAP Attribute for a user's email address mail
MemberAttribute String LDAP Attribute for a group member memberUid
ModUserDN String The DN of the user that edits LDAP cn=deputize,dc=spiffy,dc=io
OnCallGroup String The search string for the LDAP On Call Group (cn=oncall)
OnCallGroupDN String Full DN for the LDAP On Call Group cn=oncall,ou=groups,dc=spiffy,dc=io
OnCallSchedules Array The names of the PagerDuty Schedules to sync ["OnCall1", "OnCall2"]
RootCAFile String A path to a file full of trusted root CAs [See note 1] /etc/ssl/certs/ca-certificates.crt
RunDuration String How far ahead should Deputize look at the oncall schedule? 1m
SlackChan Array The channel(s) to post update notifications to (Slack IDs) C8821KJSD
SlackEnabled Bool Do you want Deputize to notify slack? true
TokenPath String Path to a file containing a vault token [See note 2] /ramdisk/vault-token
UserAttribute String LDAP Attribute for a User uid
VaultSecretPath String Path to where Vault stores secret information for Deputize secret/data/deputize
VaultServer String Full path to Vault server
Quiet Bool If true, wont display any log output true
GitlabEnabled Bool If true, will update a group with oncall users false
GitlabServer String Hostname of your Gitlab server
GitlabGroup String Assign oncall people to this Gitlab group SpiffyGitlabGroup
GitlabApproverSchedule String PagerDuty Schedule of users to assign to Gitlab OnCall1


  1. If blank, Go will attempt to use system trust roots.
  2. If blank, will attempt to use the VAULT_TOKEN environment variable

LDAP Configuration

There are many LDAP servers in the world, so we can't give a guide to creating scoped users for all of them. That said, For OpenLDAP, here's a sample olcAccess ACL entry you could use to let a named user edit the memberUid attribute of a specific posixGroup entry:

olcAccess: to dn.base="cn=oncall,ou=groups,dc=spiffy,dc=io"
  by dn.exact="cn=deputize,dc=spiffy,dc=io" write
  by * read

Vault Configuration

The location specified for VaultSecretPath will need values for:

  • modUserPW: The password for a user with permission to modify the memberUid attributes of the oncall group
  • pdAuthToken: PagerDuty API key
  • slackAuthToken: Slack API key
  • gitlabAuthToken: Gitlab API key -- needs api permissions


deputize oncall will add the proper oncall rotation, basing it off of what PagerDuty has scheduled.

Future plans include adding a deputize me command for temporary authenticated access.


We recommend using the latest golang (1.14 at this time).

  1. Fork
  2. Create a feature branch
  3. Commit your changes
  4. Rebase your local changes against the master branch
  5. Create a new Pull Request


Patrick Cable (@patcable)


Manage an on-call LDAP group based on PagerDuty on-call status




No packages published