Python script for Home Assistant adding authentication via RADIUS or LDAP
The project is based on the library pyrad
The script is designed to authenticate users in Home Assistant via a RADIUS or LDAP.
This allows you to centrally manage user access.
The script supports 2 launch modes: auth_providers and CLI.
Additional information about the mode auth_providers
-
Method 1. HACS > Python Script > Add > Auth AAA > Install
-
Method 2. Copy the manually
auth-aaa.py
from latest release to path/config/python_scripts
:wget -LP /config/python_scripts "https://github.com/losenmann/iptv-toolkit/releases/latest/download/auth-aaa.py"`
- Set connection parameters in the
secrets.yaml
file. Example data:auth_aaa_server: "server.example.com" auth_aaa_radius_secret: "homeassistant" auth_aaa_ldap_userdn: "uid={},ou=people,dc=example,dc=com" auth_aaa_ldap_basedn: "ou=people,dc=example,dc=com" auth_aaa_ldap_filter: "(uid={})" auth_aaa_ldap_attrib: ["givenName","memberof"]
Important
{} - is replaced by the username.
- In the
configuration.yaml
file add the configuration, the authentication order matters:homeassistant: auth_providers: - type: command_line command: '/usr/local/bin/python' args: ['/config/python_scripts/auth-aaa.py', '-m'] meta: true - type: homeassistant
Note
The meta: true
directive is responsible for writing some variables to standard output to populate the user account created in Home Assistant with additional data. Removing the directive will disable authorization in Home Assistant using the script.
The script supports running as an executable file for this you need to set execution rights. By default, HACS removes permission data.
-
Add data from the file dictionary to the RADIUS server's
dictionary
file. -
Set the user's
Hass-Group
attribute tosystem-users
:Attribute Type Value Description Hass-Group
string system-users
system-admin
User group (Default system-users
)Hass-Local-Only
byte 0
1
Local login only
(Defaults0
)Hass-Is-Active
byte 0
1
Activate user account
(Defaults1
)
Warning
For correct operation RADIUS Authorization , you must add to the dictionary in the RADIUS server dictionary file.
For owners device MikroTik
- Install
user-manager
package:/tool/fetch mode=https url=("https://download.mikrotik.com/routeros/".[/system/routerboard/get upgrade-firmware]."/user-manager-".[/system/routerboard/get upgrade-firmware]."-".[/system/resource/get architecture-name].".npk") output=file /system/reboot
- Setup a
user-manager
:/user-manager/attribute/add name="Hass-Group" vendor-id=812300 type-id=1 value-type=string /user-manager/attribute/add name="Hass-Local-Only" vendor-id=812300 type-id=2 value-type=hex /user-manager/attribute/add name="Hass-Is-Active" vendor-id=812300 type-id=3 value-type=hex /user-manager/user/add name="homeassistant-test" password="homeassistant" attributes="Hass-Group:system-users,Hass-Local-Only:0,Hass-Is-Active:1" /user-manager/router/add name="homeassistant-router" shared-secret="homeassistant" address="<your_subnet>"
Caution
Authentication method via ldap in development.
The LDAP server must support the memberof
module. There should be an entry in the configuration: olcModuleload: memberof.so
.
In Alpine Linux, the module can be installed like this: apk add openldap-overlay-memberof
.
The structure of the LDAP tree should look like this:
cn=system-admin,cn=homeassistant,dc=example,dc=com
cn=system-users,cn=homeassistant,dc=example,dc=com
Users can be added to a parent group:
cn=homeassistant,dc=example,dc=com
In this case, members of the parent group will have rights system-users
.
Prospective users must have the following attributes:
- uid
- givenName
- memberof
If the givenName
attribute is missing, then the login will be used as the username.
In CLI mode, you need to set execution permissions chmod +x ./python_scripts/auth-aaa.py
.
Or run via Python python ./python_scripts/auth-aaa.py
.
Note
RADIUS connection parameters can be configured in secrets.yaml
, see point 1 of the chapter Usage in auth_provider mode.
./python_scripts/auth-aaa.py -U 'username' -P 'password' -S 'server.example.com' -s 'secret'
key | secrets | type | required | description |
---|---|---|---|---|
-h |
none |
boolean | no | Get help information |
-m |
none |
boolean | no | Enable meta to output credentials to stdout (Defaults to False) |
-t |
none |
string | no | Set type AAA RADIUS or LDAP (Defaults to RADIUS ) |
-U |
none |
string | yes | Username |
-P |
none |
string | yes | Password |
-S |
auth_aaa_server |
string | yes | Server (Defaults from secrets.yaml ) |
-s |
auth_aaa_radius_secret |
string | yes | RADIUS secret (Defaults from secrets.yaml ) |
-b |
auth_aaa_ldap_basedn |
string | yes | LDAP BASE DN (Defaults from secrets.yaml ) |
-u |
auth_aaa_ldap_userdn |
string | yes | LDAP USER DN (Defaults from secrets.yaml ) |
-f |
auth_aaa_ldap_filter |
string | no | LDAP FILTER (Defaults from secrets.yaml ) |
-a |
auth_aaa_ldap_attrib |
list | no | Get an array of attributes |
Important
When using keys, keys take precedence over values from secrets.yaml
and variables passed from Home Assistant