This script allows users to log in to Home Assistant using their sAMAccountName
or userPrincipalName
identifiers without any special requirements for the ldapsearch
or curl
utilities. Instead, it requires the ldap3
Python module, but there are ways to install that locally so it can even be used in supervised / Home Assistant OS installs.
Obviously most of the configuration values in the script need to be edited to work in your environment.
SERVER
- the DNS name of your AD domain, or the name or IP of a specific domain controller.HELPERDN
- the DN (distinguishedName
attribute) of the service account you're using to search LDAP for the desired user.HELPERPASS
- the password for that service account.TIMEOUT
- LDAP search timeout in seconds.FILTER
- LDAP search filter to find the desired user. To match by SAM name or UPN and a group membership, just edit thememberOf
line to include the DN of the group you want to use to control access.BASEDN
- the DN of the top-most container to search. To search the entire domain, use just the "DC" sections at the end of your domain's DNs, e.g.DC=ad,DC=example,DC=com
. As written, the script searches recursively.
In a Home Assistant Core installation, you can install the Python module using pip
or your package manager, then put the script in any directory where Home Assistant can reach it. Then add a section to configuration.yaml:
homeassistant:
auth_providers:
- type: command_line
command: /usr/local/bin/ldap-auth-ad.py
meta: true
- type: homeassistant
Note that homeassistant
must be explicitly specified as an authentication method, or you won't have access to locally-created users.
Because Python modules can be installed in and loaded from the current path, it's possible to make this work in Docker containers as well, by hiding it in the /config directory.
First, make a directory to contain everything, and copy the configured script into the host directory that's mounted as /config:
me@host:~ $ sudo mkdir /usr/share/hassio/homeassistant/ldap-auth
me@host:~ $ sudo cp ldap-auth-ad.py /usr/share/hassio/homeassistant/ldap-auth
Next, open a shell in the Home Assistant core container, and change to the directory we just created:
me@host:~ $ sudo docker exec -it homeassistant bash
bash-5.0# cd /config/ldap-auth
Install the module:
bash-5.0# pip install -t . ldap3
And insert the configuration section (note the modified path):
homeassistant:
auth_providers:
- type: command_line
command: /config/ldap-auth/ldap-auth-ad.py
meta: true
- type: homeassistant
Finally, restart the entire application (Configuration > Server Controls > Server Management > Restart) to reload the config. (It may be possible to reload without doing this, but I'm not entirely clear on when configuration.yaml is read.)
You should now be able to log in as any user that's a member of the group you picked above. Home Assistant will create a new user in the local database the first time a user logs in.
This whole thing is hacked out of a more generic LDAP script by Rechner Fox. I mostly tweaked the filters and added the username search.
Thank you very much, this helped me out. It's working now also from within the container, missed a "import pip".
Also got a workaround if a HA Core update takes place (pip installation gone). And i adopted the script to use two ldap groups, one sets the HA user to group „system-users“ and the other to the group „system-admin“.
Regards
Richard