HASSOS LDAP Command Line Authentication over SSH

Hi,
I wanted to set up LDAP. But it was very challenging. Hassio does not have the ability to do ldap… Like not at all. Curl does not have ldap support and openldap-clients package could be installed but it would require reinstallation every boot. One thing Home Assistant has is SSH. So we can ssh to another computer with the ability to do the work.

Lets set up the remote machine first. This is the machine which has LDAP Search installed. It will be your Authentication Server. We need to ssh into that machine and run ldap search over ssh.

mkdir ~/auth
curl  https://raw.githubusercontent.com/efficiosoft/ldap-auth-sh/master/ldap-auth.sh > ~/auth/ldap-auth.sh
chmod 755 ~/auth/ldap-auth.sh
curl https://pastebin.adamoutler.com/raw/I9ox >~/auth/home-assistant.cfg
nano ~/auth/home-assistant.cfg

Pay attention. That last command is where you need to set up your settings.

Now you’ll want to edit, your home-assistant.cfg file until you can run the following command and get this result.

[email protected]:~/auth# username=test password=test ./ha-ldap.sh home-assistant.cfg
ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test

OK! so now ldap works! If it doesn’t, do not go past this point. You’re done on this computer. You no longer need it, except for keeping it on at all times you want to log in. Congratulations, you now have an authentication server.

Lets set up Home Assistant now. First up, you need ssh access (duh).

ssh-keygen  # set no password
mkdir /config/.ssh
chmod 600 /config/.ssh
cp ~/.ssh/* /config/.ssh
mkdir /config/auth
curl https://pastebin.adamoutler.com/raw/CzdS >/config/auth/sshauth.sh
chmod 755 /config/auth/sshauth
nano /config/auth/sshauth

Change the referenced IP address here and uncomment out the commented lines for a single login attempt. I have no idea why we have to execute these lines via command line auth, everything appears to be the same, as my root account, but for some reason, something about the environment is different within command line auth and the remote host doesn’t recognize my ssh key after doing it via normal methods.

Verify it works:

username=test password=test /config/auth/sshauth.sh

If it works, you see this:

ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test
Connection to 192.168.1.107 closed.

IMPORTANT: After we restart in a minute, you’re not going to be able to login. Don’t worry, you can just undo what we’re going to do next.

Lets configure Home Assistant to use Command Line Auth. add this to /config/configuration.yaml

homeassistant:
  auth_providers:
  - type: command_line
    command: /config/auth/sshauth.sh

And now we restart.

mkdir /config/ssh
hassio ha restart

Now get ssh’d back into your Hassos machine. Now log in to your home assistant. It will fail, but it will execute commands. you can use this command to see what’s going on:

cat /config/ssh/log

if you want to see the logs for the ssh command, then add a &>>/config/ssh.log to the end of the /usr/bin/ssh command.

Important: comment out those three lines in /config/auth/hassos.

Then we restart again.

rm -rf /config/ssh
hassio ha restart

Yeah, i know. This is wonkey, hacky workaround for home assistant curl lacking ldap support. and home assistant lacking ldapsearch support. Also, the documentation is horrible on home-assistant’s website. If you have a better way, please let me know because I’m not proud of this.

That’s good to know. I’ve tried setting it up in the past but have failed. The only thing I would be worried about with your setup is do you think you would have to redo it every time you upgrade?

No. It does not need to be redone. The ssh script is contained within the /config directory and should survive upgrades. The configuration.yaml points at the script. Configuration.yaml is also in the /config folder. So there should be no issue with upgrade. All LDAP-related scripts are contained on a remote computer.