Hi,
I wanted to set up LDAP. But it was very challenging. Hassio does not have the ability to do ldap… Like not at all. Curl does not have ldap support and openldap-clients package could be installed but it would require reinstallation every boot. One thing Home Assistant has is SSH. So we can ssh to another computer with the ability to do the work.
Lets set up the remote machine first. This is the machine which has LDAP Search installed. It will be your Authentication Server. We need to ssh into that machine and run ldap search over ssh.
mkdir ~/auth
curl https://raw.githubusercontent.com/efficiosoft/ldap-auth-sh/master/ldap-auth.sh > ~/auth/ldap-auth.sh
chmod 755 ~/auth/ldap-auth.sh
curl https://pastebin.adamoutler.com/raw/I9ox >~/auth/home-assistant.cfg
nano ~/auth/home-assistant.cfg
Pay attention. That last command is where you need to set up your settings.
Now you’ll want to edit, your home-assistant.cfg file until you can run the following command and get this result.
user@closet-server:~/auth# username=test password=test ./ha-ldap.sh home-assistant.cfg
ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test
OK! so now ldap works! If it doesn’t, do not go past this point. You’re done on this computer. You no longer need it, except for keeping it on at all times you want to log in. Congratulations, you now have an authentication server.
Lets set up Home Assistant now. First up, you need ssh access (duh).
ssh-keygen # set no password
mkdir /config/.ssh
chmod 600 /config/.ssh
cp ~/.ssh/* /config/.ssh
mkdir /config/auth
curl https://pastebin.adamoutler.com/raw/CzdS >/config/auth/sshauth.sh
chmod 755 /config/auth/sshauth
nano /config/auth/sshauth
Change the referenced IP address here and uncomment out the commented lines for a single login attempt. I have no idea why we have to execute these lines via command line auth, everything appears to be the same, as my root account, but for some reason, something about the environment is different within command line auth and the remote host doesn’t recognize my ssh key after doing it via normal methods.
From Home assistant, you’ll need to ssh to the ldap script machine at least once to get the ssh authorization working
ssh [email protected]
Now we can verify it works within the hassio terminal:
username=test password=test /config/auth/sshauth.sh
If it works, you see this:
ldap_initialize( ldap://192.168.1.100:389/??base )
filter: (&(uid=test)(memberOf=cn=homeassistant,cn=groups,dc=adamoutler,dc=com))
requesting: dn gecos email
Result: 0
Number of entries: 1
Client output:
dn: uid=test,cn=users,dc=adamoutler,dc=com
gecos: test
User 'test' authenticated successfully.
name=test
Connection to 192.168.1.107 closed.
IMPORTANT: After we restart in a minute, you’re not going to be able to login. Don’t worry, you can just undo what we’re going to do next.
Lets configure Home Assistant to use Command Line Auth. add this to /config/configuration.yaml
homeassistant:
auth_providers:
- type: command_line
command: /config/auth/sshauth.sh
And now we restart.
mkdir /config/ssh
hassio ha restart
Now get ssh’d back into your Hassos machine. Now log in to your home assistant. It will fail, but it will execute commands. you can use this command to see what’s going on:
cat /config/ssh/log
if you want to see the logs for the ssh command, then add a &>>/config/ssh.log
to the end of the /usr/bin/ssh command.
Important: comment out those three lines in /config/auth/hassos.
Then we restart again.
rm -rf /config/ssh
hassio ha restart
Yeah, i know. This is wonkey, hacky workaround for home assistant curl lacking ldap support. and home assistant lacking ldapsearch support. Also, the documentation is horrible on home-assistant’s website. If you have a better way, please let me know because I’m not proud of this.