Skip to content

Python script for Home Assistant that adding AAA authentication

License

Notifications You must be signed in to change notification settings

Losenmann/hacs-auth-aaa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Auth AAA

Python Home Assistant HACS Release Maintainer Donate

Python script for Home Assistant adding authentication via RADIUS or LDAP
The project is based on the library pyrad

Overview

The script is designed to authenticate users in Home Assistant via a RADIUS or LDAP.
This allows you to centrally manage user access.
The script supports 2 launch modes: auth_providers and CLI.
Additional information about the mode auth_providers

Install

  • Method 1. HACS > Python Script > Add > Auth AAA > Install

  • Method 2. Copy the manually auth-aaa.py from latest release to path /config/python_scripts:

    wget -LP /config/python_scripts "https://github.com/losenmann/iptv-toolkit/releases/latest/download/auth-aaa.py"`

Usage in auth_provider mode

Setupe

Home Assistant

  1. Set connection parameters in the secrets.yaml file. Example data:
    auth_aaa_server: "server.example.com"
    auth_aaa_radius_secret: "homeassistant"
    auth_aaa_ldap_userdn: "uid={},ou=people,dc=example,dc=com"
    auth_aaa_ldap_basedn: "ou=people,dc=example,dc=com"
    auth_aaa_ldap_filter: "(uid={})"
    auth_aaa_ldap_attrib: ["givenName","memberof"]

Important

{} - is replaced by the username.

  1. In the configuration.yaml file add the configuration, the authentication order matters:
    homeassistant:
      auth_providers:
        - type: command_line
          command: '/usr/local/bin/python'
          args: ['/config/python_scripts/auth-aaa.py', '-m']
          meta: true
        - type: homeassistant

Note

The meta: true directive is responsible for writing some variables to standard output to populate the user account created in Home Assistant with additional data. Removing the directive will disable authorization in Home Assistant using the script.
The script supports running as an executable file for this you need to set execution rights. By default, HACS removes permission data.

IF USED RADIUS

  1. Add data from the file dictionary to the RADIUS server's dictionary file.

  2. Set the user's Hass-Group attribute to system-users:

    Attribute Type Value Description
    Hass-Group string system-users
    system-admin
    User group (Default system-users)
    Hass-Local-Only byte 0
    1
    Local login only
    (Defaults 0)
    Hass-Is-Active byte 0
    1
    Activate user account
    (Defaults 1)

Warning

For correct operation RADIUS Authorization , you must add to the dictionary in the RADIUS server dictionary file.

For owners device MikroTik
  1. Install user-manager package:
    /tool/fetch mode=https url=("https://download.mikrotik.com/routeros/".[/system/routerboard/get upgrade-firmware]."/user-manager-".[/system/routerboard/get upgrade-firmware]."-".[/system/resource/get architecture-name].".npk") output=file
    /system/reboot
  2. Setup a user-manager:
    /user-manager/attribute/add name="Hass-Group" vendor-id=812300 type-id=1 value-type=string
    /user-manager/attribute/add name="Hass-Local-Only" vendor-id=812300 type-id=2 value-type=hex
    /user-manager/attribute/add name="Hass-Is-Active" vendor-id=812300 type-id=3 value-type=hex
    /user-manager/user/add name="homeassistant-test" password="homeassistant" attributes="Hass-Group:system-users,Hass-Local-Only:0,Hass-Is-Active:1"
    /user-manager/router/add name="homeassistant-router" shared-secret="homeassistant" address="<your_subnet>"

IF USED LDAP

Caution

Authentication method via ldap in development.

The LDAP server must support the memberof module. There should be an entry in the configuration: olcModuleload: memberof.so.
In Alpine Linux, the module can be installed like this: apk add openldap-overlay-memberof.

The structure of the LDAP tree should look like this:

cn=system-admin,cn=homeassistant,dc=example,dc=com
cn=system-users,cn=homeassistant,dc=example,dc=com

Users can be added to a parent group:

cn=homeassistant,dc=example,dc=com

In this case, members of the parent group will have rights system-users.

Prospective users must have the following attributes:

  • uid
  • givenName
  • memberof

If the givenName attribute is missing, then the login will be used as the username.

Usage in CLI mode

In CLI mode, you need to set execution permissions chmod +x ./python_scripts/auth-aaa.py.
Or run via Python python ./python_scripts/auth-aaa.py.

Note

RADIUS connection parameters can be configured in secrets.yaml, see point 1 of the chapter Usage in auth_provider mode.

./python_scripts/auth-aaa.py -U 'username' -P 'password' -S 'server.example.com' -s 'secret'

Script arguments

key secrets type required description
-h none boolean no Get help information
-m none boolean no Enable meta to output credentials to stdout
(Defaults to False)
-t none string no Set type AAA RADIUS or LDAP
(Defaults to RADIUS)
-U none string yes Username
-P none string yes Password
-S auth_aaa_server string yes Server
(Defaults from secrets.yaml)
-s auth_aaa_radius_secret string yes RADIUS secret
(Defaults from secrets.yaml)
-b auth_aaa_ldap_basedn string yes LDAP BASE DN
(Defaults from secrets.yaml)
-u auth_aaa_ldap_userdn string yes LDAP USER DN
(Defaults from secrets.yaml)
-f auth_aaa_ldap_filter string no LDAP FILTER
(Defaults from secrets.yaml)
-a auth_aaa_ldap_attrib list no Get an array of attributes

Important

When using keys, keys take precedence over values ​​from secrets.yaml and variables passed from Home Assistant

About

Python script for Home Assistant that adding AAA authentication

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages