I was reading about authentication providers just now, and that led me to this script to GitHub used to authenticate over LDAP.
The only caveat is that I’d need Home Assistant Core to get the additional binaries, it seems. I’ve no idea which one is that, I think it’s the one without Supervisor— the point is, I figured I could work around it by hosting the script on another server that has the tools, and the certificates to do secure LDAP and could just invoke it through SSH.
While going through the script (still on GitHub’s website), I noticed it was meant for real LDAP, so to speak (I’m on Active Directory). Dreading the uid→sAMAccountName and all that it occurred to me, what if I use something like kinit instead?
It requires the exact two values available, and the rest is already setup since the machine is domain-joined (I’d be using an old Mac for it). And it even returns the response required: nothing. (exit code zero, technically— I know-I know.)
The best part is that the whole chain would be secure; SSH+Kerberos. Well, SSH+LDAPS is too, I guess, but Kerberos is kinda badass so… yeah.
The only problem with this one is that I don’t know if you can send the password inline, I doubt it. The manpage goes on and on about keytabs which are obviously out of the question — not that I remember how to use them anyway, keytab-related syntax is harder to solve than the encryption itself, and in any case dsconfigad/realm/Add-Computer[and DNS] sets the whole thing up, I never need them — but I supposed I can ugly script it. I’ve seen it before; when they use tricks like Here Documents to simulate interactive password (or whatever) input.
Has anybody done this? A little advice would be awesome! 
1 post - 1 participant