HASSOS LDAP Command Line Authentication over SSH

Hi,
I wanted to set up LDAP. But it was very challenging. Hassio does not have the ability to do ldap… Like not at all. Curl does not have ldap support and openldap-clients package could be installed but it would require reinstallation every boot. One thing Home Assistant has is SSH. So we can ssh to another computer with the ability to do the work.

Lets set up the remote machine first. This is the machine which has LDAP Search installed. It will be your Authentication Server. We need to ssh into that machine and run ldap search over ssh.

mkdir ~/auth
curl  https://raw.githubusercontent.com/efficiosoft/ldap-auth-sh/master/ldap-auth.sh > ~/auth/ldap-auth.sh
chmod 755 ~/auth/ldap-auth.sh
curl https://pastebin.adamoutler.com/raw/I9ox >~/auth/home-assistant.cfg
nano ~/auth/home-assistant.cfg

Pay attention. That last command is where you need to set up your settings.

Now you’ll want to edit, your home-assistant.cfg file until you can run the following command and get this result.

[email protected]:~/auth# username=test password=test ./ha-ldap.sh home-assistant.cfg
ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test

OK! so now ldap works! If it doesn’t, do not go past this point. You’re done on this computer. You no longer need it, except for keeping it on at all times you want to log in. Congratulations, you now have an authentication server.

Lets set up Home Assistant now. First up, you need ssh access (duh).

ssh-keygen  # set no password
mkdir /config/.ssh
chmod 600 /config/.ssh
cp ~/.ssh/* /config/.ssh
mkdir /config/auth
curl https://pastebin.adamoutler.com/raw/CzdS >/config/auth/sshauth.sh
chmod 755 /config/auth/sshauth
nano /config/auth/sshauth

Change the referenced IP address here and uncomment out the commented lines for a single login attempt. I have no idea why we have to execute these lines via command line auth, everything appears to be the same, as my root account, but for some reason, something about the environment is different within command line auth and the remote host doesn’t recognize my ssh key after doing it via normal methods.

From Home assistant, you’ll need to ssh to the ldap script machine at least once to get the ssh authorization working

ssh [email protected]

Now we can verify it works within the hassio terminal:

username=test password=test /config/auth/sshauth.sh

If it works, you see this:

ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test
Connection to 192.168.1.107 closed.

IMPORTANT: After we restart in a minute, you’re not going to be able to login. Don’t worry, you can just undo what we’re going to do next.

Lets configure Home Assistant to use Command Line Auth. add this to /config/configuration.yaml

homeassistant:
  auth_providers:
  - type: command_line
    command: /config/auth/sshauth.sh

And now we restart.

mkdir /config/ssh
hassio ha restart

Now get ssh’d back into your Hassos machine. Now log in to your home assistant. It will fail, but it will execute commands. you can use this command to see what’s going on:

cat /config/ssh/log

if you want to see the logs for the ssh command, then add a &>>/config/ssh.log to the end of the /usr/bin/ssh command.

Important: comment out those three lines in /config/auth/hassos.

Then we restart again.

rm -rf /config/ssh
hassio ha restart

Yeah, i know. This is wonkey, hacky workaround for home assistant curl lacking ldap support. and home assistant lacking ldapsearch support. Also, the documentation is horrible on home-assistant’s website. If you have a better way, please let me know because I’m not proud of this.

That’s good to know. I’ve tried setting it up in the past but have failed. The only thing I would be worried about with your setup is do you think you would have to redo it every time you upgrade?

No. It does not need to be redone. The ssh script is contained within the /config directory and should survive upgrades. The configuration.yaml points at the script. Configuration.yaml is also in the /config folder. So there should be no issue with upgrade. All LDAP-related scripts are contained on a remote computer.

I had to make a few modifications but I got this working. However, I was wondering if anyone figured out how to get the name metadata working? I’ve adjusted the script so that it only outputs name=$name to the console but Home Assistant never appears to pick this up. I do have meta: true in my Home Assistant config.

1 Like

I have the same problem. However, I can modify my name and information within the user profile, so I didn’t peruse it further. I’m certain it only works the first time. Also, one time I deleted my user and tried it again, but ended up with the display name “Google Assistant” which isn’t even in my LDAP database, but it is in Home Assistant. I’m positive there are problems with HA on this.

Gotcha, that’s good to know, thanks. I assumed it would update from the script output on every auth, but I guess that was a bad assumption. There’s only two of us so it won’t be a big deal to just do it manually in the profile.

This really should be integrated in HASSOS … or could this be provided via HACS?

It really should be. But they don’t include ldapsearch and the curl package doesn’t have LDAP capabilities. The alternative is to reinstall ldapsearch after each upgrade.

Maybe a developer could adjust the container specs to include ldapsearch so we can get this working in a proper fashion. I don’t know where the container packages are specified so I haven’t asked.

What about verifying ldap support and installing it inside authentication script? The script could perform check for ldapsearch presence and if it’s not installed, than install it and than continue authentication. Only first use od ldap authentication after each update of homeassistant would take more time. I know that generally ldap auth should be done in more elegant and proper way, but now the only one way is to find handy workaround

There is already a script for LDAP. This is for remote LDAP