Home Assistant is an open-source home automation platform that allows users to control and automate their smart home devices from a central interface. It offers a flexible and customizable way to manage a wide range of devices and services, enabling users to create custom rules and automate tasks within their homes. Home Assistant emphasizes local control and privacy, with most data processing and storage happening on the user's own network. 

By configuring Home Assistant to use OpenLDAP for authentication, you can centralize user management and potentially integrate with other systems that also use LDAP. Home Assistant configures ldap authorization via the Command Line Auth Provider. The wiki mentions a script that can be used for LDAP authentication, but it doesn’t work in the container version (it is lacking both ldapsearch and curl ldap protocol support.) Thankfully OpenLDAP has a GraphQL API to save the day!

GraphQL is a query language for APIs and a server-side runtime for executing those queries, providing a more efficient and flexible way to retrieve data compared to traditional REST APIs. It allows clients to request exactly the data they need, minimizing over-fetching and under-fetching of information. GraphQL also offers a strong type system for defining API schemas and a runtime environment for executing queries against your data. 

The script ldap-ha-auth.sh is typically found in the /config directory of a Home Assistant instance, specifically when using the command_line authentication provider for LDAP authentication.

GraphQL-based Auth Script

The auth script attempts to authenticate a user against an OpenLDAP server, using credentials provided via username and password environment variables. The first argument must be the URL of your OpenLDAP server, accessible from Home Assistant. You can provide an additional optional argument to confine allowed logins to a single group. The script will output the user’s display name as the name variable, if not empty.

1. Copy the auth script to your home assistant instance. In this example, we use /config/ldap-ha-auth.sh.

• Set the script as executable by running:

chmod +x /config/ldap-ha-auth.sh

2. Add the following to your configuration.yaml in Home Assistant:

homeassistant:
  auth_providers:
    # Ensure you have the homeassistant provider enabled if you want to continue using your existing accounts
    - type: homeassistant
    - type: command_line
      command: /config/ldap-ha-auth.sh
      # Only allow users in the 'homeassistant_user' group to login.
      # Change to ["https://ldap.example.com"] to allow all users
      args: ["https://ldap.example.com", "homeassistant_user"]
      meta: true

3. Reload your config or restart Home Assistant.