This repository contains three packaged variants of the same goal: allow Home Assistant to authenticate users against LDAP using the built-in command_line auth provider (which executes an external script and interprets the exit code).
Because Home Assistant loads auth_providers at startup and does not expose a supported API for integrations to modify authentication configuration, enabling the provider still requires a one-time YAML configuration step (either inline or via !include). LDAP connection parameters can be managed either in YAML (v0/v1) or via UI config flow and .storage (v2).
- Target: Home Assistant Green / HA OS / Container deployments
- Auth mechanism: Home Assistant
command_lineauth provider executing a Python script - LDAP library: typically
ldap3(bundled or installed depending on version)
Intent: simplest deployment; a script reads LDAP parameters from configuration.yaml and is called by the command_line auth provider.
- A standalone
auth.pyintended to be referenced directly fromconfiguration.yaml - LDAP settings read from the
ldap_auth:YAML section - It includes a bundled all dependencies, ainly containing
ldap3and related dependencies.
- Very easy to understand and debug
- No Home Assistant integration packaging required
- Not a “real” custom integration (no
manifest.json, no UI) - Config changes are YAML-only
- Copy the
v0/ldap_authfolder into/config/python-scripts(or a subfolder you control) - Add the command_line auth provider to
configuration.yaml - Add the
ldap_auth:configuration block toconfiguration.yaml - Restart Home Assistant
Intent: package the solution as a proper custom integration under custom_components/, while still keeping LDAP parameters in YAML.
- A Home Assistant custom integration directory (domain folder under
custom_components/) manifest.jsonpresent (integration is discoverable by HA)auth.pylives inside the integration folder- LDAP settings still read from
configuration.yaml(ldap_auth:section)
- Clean packaging under
custom_components/ - Easier upgrades/rollbacks than a loose script
- More “Home Assistant-native” structure
- LDAP parameters are still YAML-only (no UI)
auth_providersstill requires manual YAML configuration
- Copy
v1/custom_components/<domain>to/config/custom_components/<domain> - Add the command_line auth provider block in
configuration.yaml(pointing to theauth.pypath) - Add/maintain the LDAP YAML configuration section
- Restart Home Assistant
Intent: move LDAP parameters out of YAML and into the Home Assistant UI (stored in .storage), while assisting the user by generating an include file for auth providers.
- Custom integration with:
- Config Flow (UI setup via Settings → Devices & services)
- Options Flow (edit LDAP parameters in UI)
- LDAP settings stored in
.storage(notconfiguration.yaml) - Helper behavior: generates
/config/ldap_auth_providers.yaml(or similarly named include file) - Persistent notification and/or a service to show the required auth provider include file
- LDAP parameters are managed in UI (no YAML edits for LDAP settings)
- Cleaner configuration management and safer secrets handling
- Include-file generation reduces copy/paste errors
- You still must add the
auth_providersinclude toconfiguration.yamlonce - Auth provider changes only take effect after restart (Home Assistant behavior)
- Copy
v2/custom_components/<domain>to/config/custom_components/<domain> - Restart Home Assistant
- Add the integration in the UI: Settings → Devices & services → Add Integration → LDAP Auth
- The integration will create an include file (example):
/config/ldap_auth_providers.yaml
- Add one line to
configuration.yaml:homeassistant: auth_providers: !include ldap_auth_providers.yaml