example_configs: add support for admins and local users in homeassistant

2024-11-25 09:06:03 +00:00 · 2023-12-19 16:36:00 -05:00 · 2023-12-19 16:36:00 -05:00 · 9ac96e8c6e
commit 9ac96e8c6e
parent 63f802648f
3 changed files with 36 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -318,6 +318,7 @@ folder for help with:
 - [GitLab](example_configs/gitlab.md)
 - [Grafana](example_configs/grafana_ldap_config.toml)
 - [Hedgedoc](example_configs/hedgedoc.md)
+- [Home Assistant](example_configs/home-assistant.md)
 - [Jellyfin](example_configs/jellyfin.md)
 - [Jenkins](example_configs/jenkins.md)
 - [Jitsi Meet](example_configs/jitsi_meet.conf)
--- a/example_configs/home-assistant.md
+++ b/example_configs/home-assistant.md
@ -16,9 +16,20 @@ homeassistant:
    - type: homeassistant
    - type: command_line
      command: /config/lldap-ha-auth.sh
-      # Only allow users in the 'homeassistant_user' group to login.
-      # Change to ["https://lldap.example.com"] to allow all users
-      args: ["https://lldap.example.com", "homeassistant_user"]
+      # arguments: [<LDAP Host>, <regular user group>, <admin user group>, <local user group>]
+      # <regular user group>: Find users that has permission to access homeassistant, anyone inside
+      # this group will have the default 'system-users' permission in homeassistant.
+      #
+      # <admin user group>: Allow users in the <regular user group> to be assigned into 'system-admin' group.
+      # Anyone inside this group will not have the 'system-users' permission as only one permission group
+      # is allowed in homeassistant
+      #
+      # <local user group>: Users in the <local user group> (e.g., 'homeassistant_local') can only access
+      # homeassistant inside LAN network.
+      #
+      # Only the first argument is required. ["https://lldap.example.com"] allows all users to log in from
+      # anywhere and have 'system-users' permissions. 
+      args: ["https://lldap.example.com", "homeassistant_user", "homeassistant_admin", "homeassistant_local"]
      meta: true
 ```
 3. Reload your config or restart Home Assistant
--- a/example_configs/lldap-ha-auth.sh
+++ b/example_configs/lldap-ha-auth.sh
@ -66,5 +66,26 @@ fi

 DISPLAY_NAME=$(jq -r .displayName <<< $USER_JSON)

+IS_ADMIN=false
+if [[ ! -z "$3" ]] && jq -e '.groups|map(.displayName)|index("'"$3"'")' <<< "$USER_JSON" > /dev/null 2>&1; then
+    IS_ADMIN=true
+fi
+
+IS_LOCAL=false
+if [[ ! -z "$4" ]] && jq -e '.groups|map(.displayName)|index("'"$4"'")' <<< "$USER_JSON" > /dev/null 2>&1; then
+	IS_LOCAL=true
+fi
+
 [[ ! -z "$DISPLAY_NAME" ]] && echo "name = $DISPLAY_NAME"

+if [[ "$IS_ADMIN" = true ]]; then
+	echo "group = system-admin"
+else
+    echo "group = system-users"
+fi
+
+if [[ "$IS_LOCAL" = true ]]; then
+	echo "local_only = true"
+else
+    echo "local_only = false"
+fi