curl missing LDAP protocol

[olbjan]

Home Assistant release with the issue: 0.88 and 0.89

Operating environment (HassOS/Generic): HassOS 2.10 on Intel NUC

Supervisor logs:

Description of problem: Trying to use the commandline auth provider against an LDAP server is currently not possible in Hass.io / HassOS installations as the provided curl does not support the LDAP protocol or ldapsearch.

This is required by the linked example script as linked in the HA documentation: https://www.home-assistant.io/docs/authentication/providers/ --> https://github.com/efficiosoft/ldap-auth-sh

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[olbjan]

I checked that on hass.io Supervisor 162 and hassOS 2.11 curl still does not include LDAP support.

[frenck]

Our containers for Hass.io are based on Alpine Linux.

Alpine Linux does not ship CURL with LDAP support. See also here: https://git.alpinelinux.org/aports/tree/main/curl/APKBUILD#n94

This isn't "fixable" from our end.

[nununo]

Hi @olbjan did you manage to integrate LDAP with Hassio? I've bumped into the same problem. I'm considering reinstalling Hassio on top of Debian to avoid these limitations but I'd like to avoid going through that trouble if I could. Did you find a workaround? Thanks

[olbjan]

@nununo Sorry, I've basically given up on this for the time being. LDAP auth is nice but not as important for me that I'm willing to roll my own OS below HA....

[nununo]

@olbjan makes sense. I already had in mind trying to install HA over Debian so I may still give it a try if I get to do it.

[Mystery-X]

I'm also trying, But since the curl is no option, i'm currently investigating the ldapsearch route. installing the ldapsearch was easy :

`core-ssh:~# apk add openldap-clients

fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/armv7/APKINDEX.tar.gz

fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/armv7/APKINDEX.tar.gz

(1/4) Installing db (5.3.28-r1)

(2/4) Installing libsasl (2.1.27-r3)

(3/4) Installing libldap (2.4.48-r0)

(4/4) Installing openldap-clients (2.4.48-r0)

Executing busybox-1.30.1-r2.trigger OK: 76 MiB in 67 packages`

[pvizeli]

curl work, we need only build our own version on the image

[nununo]

I finally managed to integrate LDAP with Hassio. I had to perform some extra hacks to make it work:

• I followed this this tip to install ldapsearch inside the Hassio image (although I had to tweak the command to docker exec -t -i homeassistant apk add --update --repository http://dl-cdn.alpinelinux.org/alpine/edge/main --repository http://dl-cdn.alpinelinux.org/alpine/edge/community openldap-clients);
• Since my LDAP server uses STARTTLS, I had to copy the LDAP server's certificate to the config/ldap-auth-sh/ folder and configure /etc/openldap/ldap.conf to point to it;
• Edited the script to include the option -ZZ in the common_opts.

Most probably an upgrade will break something. I'll wait and see. Anyway, it's working ;)

[nununo]

It would be great, though, if LDAP integration would be easier to implement in Hassio...

[darootler]

I would also love to have LDAP authentication supported by Hass.io.

Regards Richard

[mountainsandcode]

The suggestion posted by @nununo also works for me - but I fear it'll have to be run upon every pull of a docker image (i.e., every HA version update). Any chance we can package openldap-clients with the image while waiting for a compiled version of curl with ldap? Would be super!

[nununo]

Indeed @mountainsandcode, mine is already broken and I've been lazy to retweak it :-) Native LDAP support would be so great.

[mountainsandcode]

@pvizeli Would love to support somehow (e.g., with a PR) but not familiar at all with OS-level development. Any pointers or can we support somehow to get this implemented?

[pvizeli]

curl work, we need only build our own version on the image

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[darootler]

Hmm, still no ldap support for curl or am i missing something?

Regards Richard

[Ra72xx]

I'm interested, too. (Should be mentioned in the docs, too. The way to get LDAP support as described in the docs does not work with the officially preferred way of installation ;-/ .)

[adamoutler]

The big problem here is the linked LDAP Auth script is all wrong for ldapsearch. Their BASEDN is used for BINDDN, and HOST isn't used at all. I'm sure it would work if you already had LDAP Auth set up on your system, but as-is, it's all messed up and unusable. I'm willing to bet the number of people using HASSIO ldap auth with the script is near-zero, and includes those who figured out how to install curl.

[Ra72xx]

Anybody found a workaround yet?

[adamoutler]

Yeah. Let me organize my notes... It was frackin' rediculous what I had to do.

On Mon, Sep 21, 2020, 2:39 PM Larx notifications@github.com wrote:

Anybody found a workaround yet?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/home-assistant/supervisor/issues/940#issuecomment-696296540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEA4L3SAT43ALXGXNAJQF3SG6MVXANCNFSM4G4TTLXQ .

[adamoutler]

Anybody found a workaround yet?

I created a topic here for hassio. It uses ssh to log into a remote computer with ldapsearch installed. It's messy but it works. https://community.home-assistant.io/t/hassos-ldap-command-line-authentication-over-ssh/228852

[rjmidau]

Anybody found a workaround yet?

There is currently an open PR to add LDAP as an authentication provider to Core: home-assistant/core#37645

[samsam-rolon]

I'm intrested in also but still nothing in docker 2021.4.1

[samsam-rolon]

Hello Is any updatethere ?

[Ra72xx]

I use the Docker container on Raspbian and use a small script to SSH to the host to run ldapsearch from there. Very awkward but it works. I really wonder why HA seems not to be interested in LDAP. For my home net I can use LDAP for everything else but for HA. This is no enterprise-only feature, it gives everyone in the household the possibility to use the same credentials for every PC, for the media server, for Nextcloud, etc., etc. Why not HA?

[adamoutler]

The protocol is very simple. You just need to return a 0 or a 1 as an exit status from a script. I remote SSH to a server with LDAP capabilities. I also set up a script to transmit the info to a server I have set up with Basic Authentication on Apache to my LDAP which I am trying to work with now to figure out how to prevent potential attacks. Basically the idea is to do a curl with user/pass and test for 200 status. The same basic premiss can be applied to anything you can run on the command line. While it's not a solution, hopefully this helps others.

The problem is they rely on the upstream packages. If someone wants to fix it, it could be handled by a commit to Alpine Linux. Their curl package has no LDAP support.

[samsam-rolon]

But it's not working in Docker because you need to "custom" inside the container ...

[wez]

I was also disappointed by the example referenced in the docs not working, so I wrote a script to talk to an Authelia instance (backed by LDAP) using regular HTTPS rather than LDAP:

• https://github.com/authelia/authelia/discussions/4681

[adamoutler]

I set up a Basic Auth authentication method. All you have to do is create any apache/nginx with a static page protected by Basic Auth and point the script at that site. If that site provides an HTTP 200 response, then you will be able to login. If you get an unauthorized or other error, it will prevent login. I set up LDAP on my basic auth and it essentially works the same as managing from this script. Please note, if your DNS is poisoned or the site is compromised, it will compromise the login for HA. However, it's easier to set this up than to set up LDAP on HA OS.

https://gist.github.com/adamoutler/c2dc2618de03ce26c9fefc7a40cf11af

[darootler]

I set up a Basic Auth authentication method. All you have to do is create any apache/nginx with a static page protected by Basic Auth and point the script at that site. If that site provides an HTTP 200 response, then you will be able to login. If you get an unauthorized or other error, it will prevent login. I set up LDAP on my basic auth and it essentially works the same as managing from this script. Please note, if your DNS is poisoned or the site is compromised, it will compromise the login for HA. However, it's easier to set this up than to set up LDAP on HA OS.

https://gist.github.com/adamoutler/c2dc2618de03ce26c9fefc7a40cf11af

Thank you for sharing this, i'll give it a try.

It's really sad that the builtin curl version doesn't support ldap like every other curl does.

Regards Richard

[darootler]

@adamoutler

I was able to set everything up and authentication is working. But the user signed in was not mapped to Home Assistant user:

I played around with echoing the user but without success. Do you had success with passing back the username to Home Assistant?

[adamoutler]

Echo only works for the first login. After that, you have to delete the user.

[darootler]

I was able to map the person to the new user (LDAP) and give the new user "owner" permissions. You have to edit /config/.storage/auth and /config/.storage/person

Here is the updated script i use:

#! /bin/bash
# Basic Authentication login for Home Assistant.
# Adam Outler <homeassistant@adamoutler.com>
#
# To prevent vulnerability to DNS poisoning attack use HSTS on the serve in HOSTNAME,
# or specify a local IP address on your trusted LAN.
#
# Modify HOSTNAME to your site.

HOSTNAME="https://hostname.webauth.internal" #site to use for basic auth validation
response=$(curl -u"${username}:${password}" -I ${HOSTNAME} 2>/dev/null|head -n1|cut -d$' ' -f2 ); 
[ "${response}" == "200" ] && echo "name = ${username}"; exit 0;   #exit 0 if we get a 200 HTTP Status Code.
exit 187;   #exit with a non-zero response.

And here is the config i use:

homeassistant:
  auth_providers:
      - type: command_line
        command: /config/python_scripts/basic-auth.sh
        args: ["--username", "--password"]
        meta: true

Thanks for your input @adamoutler

Regards Richard

[adamoutler]

You made the script better. I just changed my display name when I logged in the first time and forgot about it.

[Ra72xx]

My solution currently is running webhookd (https://github.com/ncarlier/webhookd/) on the host system (easy to install, is a single binary). So you can use a modified ldap-auth.sh script with curl and/or ldapsearch on the host and only need a kind of "proxy" authentication script in the container (to call the webhook and to make authentication fail if the webhook does not return "name=xyz"). Is only suitable for local, trusted installs, probably, but the advantage is that webhookd can be used for lots of things from the homeassistant container to the host system.

[danielriddell21]

I finally managed to integrate LDAP with Hassio. I had to perform some extra hacks to make it work:

* I followed this [this tip](https://community.home-assistant.io/t/new-home-assistant-alpine-docker-image-curl-ldaps-not-supported/134572/10) to install ldapsearch inside the Hassio image (although I had to tweak the command to `docker exec -t -i homeassistant apk add --update --repository http://dl-cdn.alpinelinux.org/alpine/edge/main --repository http://dl-cdn.alpinelinux.org/alpine/edge/community openldap-clients`);

* Since my LDAP server uses STARTTLS, I had to copy the LDAP server's certificate to the `config/ldap-auth-sh/` folder and `configure /etc/openldap/ldap.conf` to point to it;

* Edited the script to include the option `-ZZ` in the `common_opts`.

Most probably an upgrade will break something. I'll wait and see. Anyway, it's working ;)

@nununo Does this work between updates? Also I am still having issues after running your fix to alpine, it still doesn't want to authenticate

2023-09-30 16:25:41.801 ERROR (MainThread) [homeassistant.auth.providers.command_line] User 'root' failed to authenticate, > command exited with code 2

I am using this script btw: https://github.com/bob1de/ldap-auth-sh

[nununo]

@nununo Does this work between updates? Also I am still having issues after running your fix to alpine, it still doesn't want to authenticate

No it doesn't. I actually gave up on it because it stopped working after an update. I ended up giving up on this because it wasn't a priority. It's a shame, though.

[Ra72xx]

My solution for using LDAP in a podman container: I have "webhookd" (https://github.com/ncarlier/webhookd/) running natively on the host. I use this service to control different services on the host from within the HA container with simple curl calls. This includes a modified version of the HA ldap_auth.sh example script (running on the host, not in the container).

HA itself in the container can use an auth script like the following:

#!/bin/bash
# Run within homeassistant docker container

urlencode() {
  local string="${1}"
  local strlen=${#string}
  local encoded=""
  local pos c o

  for (( pos=0 ; pos<strlen ; pos++ )); do
     c=${string:$pos:1}
     case "$c" in
        [-_.~a-zA-Z0-9])
        o="${c}" ;;
        *)
        printf -v o '%%%02x' "'$c"
     esac
     encoded+="${o}"
  done
  REPLY="${encoded}"
}

urlencode "$username"
user_enc=${REPLY}
urlencode "$password"
pass_enc=${REPLY}

result=$(curl -X GET -s "http://mylocalhostname:port/ldap-auth?username=$user_enc&password=$pass_enc" | head -n 1)

if [[ $result == name* ]]
then
    echo "$result"
    exit 0
else
    echo "ERROR: Authentication failed"
    exit 1
fi

This has been running for my very stable over different HA versions. I don't know about any security issues, but as this takes place within the same physical host in my private network, I think I can live with that.

[koliwbr]

I know this is an old topic, however, I found another solution - compile curl statically on another machine and move only curl with ldap support. Here are the commands I used (on another machine) to compile curl, the finished file I moved to the HO configuration directory:

apt install build-essential wget
wget https://github.com/curl/curl/releases/download/curl-8_10_1/curl-8.10.1.tar.gz
cd curl-8.10.1/
 ./configure  --disable-http --disable-ftp --disable-file --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-mqtt --disable-manual --disable-docs --enable-ldaps --enable-ldap  --without-ssl --without-libpsl --disable-verbose --disable-shared --enable-static
make
cd ..
cp  curl-8.10.1/lib/curl .

[adamoutler]

Maybe contribute curl with all enabled to haos?

[Ra72xx]

I know this is an old topic, however, I found another solution - compile curl statically on another machine and move only curl with ldap support. Here are the commands I used (on another machine) to compile curl, the finished file I moved to the HO configuration directory:

apt install build-essential wget
wget https://github.com/curl/curl/releases/download/curl-8_10_1/curl-8.10.1.tar.gz
cd curl-8.10.1/
 ./configure  --disable-http --disable-ftp --disable-file --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-mqtt --disable-manual --disable-docs --enable-ldaps --enable-ldap  --without-ssl --without-libpsl --disable-verbose --disable-shared --enable-static
make
cd ..
cp  curl-8.10.1/lib/curl .

On which Linux distro? I tried your commands both on the host (Ubuntu 24.10) and, with some adaptions, within the Home Assistant container (which is Alpine Linux), and in both cases only a dynamically linked curl were compiled despite the static options. I also had to install openldap-dev beforehand, and as soon as this package was uninstalled again, the compiled curl would fail.

[Ra72xx]

OK, as I don't really like my hacky solution above (https://github.com/home-assistant/supervisor/issues/940#issuecomment-1744219344), I tried another way: You can also use static ldapsearch binaries from this unfortunately very outdated repo https://github.com/home-assistant/supervisor/issues/940#issuecomment-1744219344 , as the ldap-auth.sh script also can use this command.

[koliwbr]

On which Linux distro?

On Debian 12

Sorry, I wrote this post before I checked if curl works on Alpne (like HO) and it turned out that it does not. I checked on another Debian-based system As @Ra72xx mentioned I used statically compiled ldapsearch using musl (like Alpine). Due to the size of the project the whole thing went much more smoothly and works :)

git clone https://git.openldap.org/openldap/openldap.git
cd openldap
apt install musl musl-dev musl-tools -y
CC="musl-gcc -static" ./configure --prefix=$HOME/musl && make

# clients/tools/ldapsearch

[Ra72xx]

Thanks. Based on that a quick and very untested script to compile ldapsearch within the Alpine HA container:

#!/bin/sh

INSTALL=/config/local_ldap_auth/
BUILD=/tmp
cd $BUILD || exit 1
git clone https://git.openldap.org/openldap/openldap.git
cd openldap
apk --update add build-essentials musl-dev groff -y
./configure
make
test -f clients/tools/ldapsearch || exit 1
test -f $INSTALL/ldapsearch && mv $INSTALL/ldapsearch $INSTALL/ldapsearch.old
cp clients/tools/ldapsearch $INSTALL