HASSOS LDAP Command Line Authentication over SSH

adamoutler · September 21, 2020, 11:31pm

Hi,
I wanted to set up LDAP. But it was very challenging. Hassio does not have the ability to do ldap… Like not at all. Curl does not have ldap support and openldap-clients package could be installed but it would require reinstallation every boot. One thing Home Assistant has is SSH. So we can ssh to another computer with the ability to do the work.

Lets set up the remote machine first. This is the machine which has LDAP Search installed. It will be your Authentication Server. We need to ssh into that machine and run ldap search over ssh.

mkdir ~/auth
curl  https://raw.githubusercontent.com/efficiosoft/ldap-auth-sh/master/ldap-auth.sh > ~/auth/ldap-auth.sh
chmod 755 ~/auth/ldap-auth.sh
curl https://pastebin.adamoutler.com/raw/I9ox >~/auth/home-assistant.cfg
nano ~/auth/home-assistant.cfg

Pay attention. That last command is where you need to set up your settings.

Now you’ll want to edit, your home-assistant.cfg file until you can run the following command and get this result.

user@closet-server:~/auth# username=test password=test ./ha-ldap.sh home-assistant.cfg
ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test

OK! so now ldap works! If it doesn’t, do not go past this point. You’re done on this computer. You no longer need it, except for keeping it on at all times you want to log in. Congratulations, you now have an authentication server.

Lets set up Home Assistant now. First up, you need ssh access (duh).

ssh-keygen  # set no password
mkdir /config/.ssh
chmod 600 /config/.ssh
cp ~/.ssh/* /config/.ssh
mkdir /config/auth
curl https://pastebin.adamoutler.com/raw/CzdS >/config/auth/sshauth.sh
chmod 755 /config/auth/sshauth
nano /config/auth/sshauth

Change the referenced IP address here and uncomment out the commented lines for a single login attempt. I have no idea why we have to execute these lines via command line auth, everything appears to be the same, as my root account, but for some reason, something about the environment is different within command line auth and the remote host doesn’t recognize my ssh key after doing it via normal methods.

From Home assistant, you’ll need to ssh to the ldap script machine at least once to get the ssh authorization working

ssh [email protected]

Now we can verify it works within the hassio terminal:

username=test password=test /config/auth/sshauth.sh

If it works, you see this:

ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test
Connection to 192.168.1.107 closed.

IMPORTANT: After we restart in a minute, you’re not going to be able to login. Don’t worry, you can just undo what we’re going to do next.

Lets configure Home Assistant to use Command Line Auth. add this to /config/configuration.yaml

homeassistant:
  auth_providers:
  - type: command_line
    command: /config/auth/sshauth.sh

And now we restart.

mkdir /config/ssh
hassio ha restart

Now get ssh’d back into your Hassos machine. Now log in to your home assistant. It will fail, but it will execute commands. you can use this command to see what’s going on:

cat /config/ssh/log

if you want to see the logs for the ssh command, then add a &>>/config/ssh.log to the end of the /usr/bin/ssh command.

Important: comment out those three lines in /config/auth/hassos.

Then we restart again.

rm -rf /config/ssh
hassio ha restart

Yeah, i know. This is wonkey, hacky workaround for home assistant curl lacking ldap support. and home assistant lacking ldapsearch support. Also, the documentation is horrible on home-assistant’s website. If you have a better way, please let me know because I’m not proud of this.

frenchface · September 23, 2020, 4:18pm

That’s good to know. I’ve tried setting it up in the past but have failed. The only thing I would be worried about with your setup is do you think you would have to redo it every time you upgrade?

adamoutler · September 23, 2020, 8:48pm

No. It does not need to be redone. The ssh script is contained within the /config directory and should survive upgrades. The configuration.yaml points at the script. Configuration.yaml is also in the /config folder. So there should be no issue with upgrade. All LDAP-related scripts are contained on a remote computer.

synth3tk · November 2, 2020, 6:10pm

I had to make a few modifications but I got this working. However, I was wondering if anyone figured out how to get the name metadata working? I’ve adjusted the script so that it only outputs name=$name to the console but Home Assistant never appears to pick this up. I do have meta: true in my Home Assistant config.

adamoutler · November 2, 2020, 6:34pm

I have the same problem. However, I can modify my name and information within the user profile, so I didn’t peruse it further. I’m certain it only works the first time. Also, one time I deleted my user and tried it again, but ended up with the display name “Google Assistant” which isn’t even in my LDAP database, but it is in Home Assistant. I’m positive there are problems with HA on this.

synth3tk · November 2, 2020, 6:37pm

Gotcha, that’s good to know, thanks. I assumed it would update from the script output on every auth, but I guess that was a bad assumption. There’s only two of us so it won’t be a big deal to just do it manually in the profile.

Megachip · November 11, 2020, 10:19am

This really should be integrated in HASSOS … or could this be provided via HACS?

adamoutler · November 11, 2020, 12:36pm

It really should be. But they don’t include ldapsearch and the curl package doesn’t have LDAP capabilities. The alternative is to reinstall ldapsearch after each upgrade.

Maybe a developer could adjust the container specs to include ldapsearch so we can get this working in a proper fashion. I don’t know where the container packages are specified so I haven’t asked.

scrapid · February 22, 2021, 1:34am

What about verifying ldap support and installing it inside authentication script? The script could perform check for ldapsearch presence and if it’s not installed, than install it and than continue authentication. Only first use od ldap authentication after each update of homeassistant would take more time. I know that generally ldap auth should be done in more elegant and proper way, but now the only one way is to find handy workaround

adamoutler · February 22, 2021, 1:49am

There is already a script for LDAP. This is for remote LDAP

frenchface · August 25, 2021, 4:58pm

I had trouble with this. So I am just going to post what I did and it seems to be working.

On a remote node, I have the following script:

domain="@<domainnamehere>"
user=$username$domain
if [ -z "$username" ]; then exit 1; fi
if [ -z "$password" ]; then exit 1; fi
#echo $user
search1=$(ldapsearch -H ldap://<ipaddresshere> -x -w $password -D $user -b "dc=<domain>,dc=<domain>" "(samAccountName=$username)" | grep search:)
#echo $search1
if [ -z "$search1" ]; then echo "NULL"; else echo "User '$username' authenticated successfully."; fi
if [ -z "$search1" ]; then echo "NULL"; else echo "name = $username"; fi
if [ -z "$search1" ]; then echo "NULL"; else exit 0; fi
exit 1

Then on HASSIO I have the following script:

ssh -o StrictHostKeyChecking=no -i /config/.ssh/id_rsa root@<ipaddresshere> &>> /config/log "username=$username password=$password bash ./ldapauth.sh"

I hope this helps as I spent several hours trying to get something to work. I am sure there are much better ways to do this, but for now this works for me. If you have any suggestions please let me know.