Operator authentication via LDAP
The LDAP plugin lets ACCELERO operators log in by validating their credentials against an external LDAP server (for example, OpenLDAP or Active Directory), instead of relying exclusively on the passwords stored locally in ACCELERO. Authentication is done by LDAP bind: ACCELERO connects to the directory and tries to authenticate the user with the credentials provided at login.
This integration is provided as a plugin (ldap) and must be installed and enabled by the IONGRADE technical team. Contact support to check compatibility with your ACCELERO version.
Current plugin version: 0.0.1 — compatible with ACCELERO 2.16.0 or higher (according to manifest.json).
This is version 0.0.1 of the plugin. The current code provides the LDAP connection and authentication mechanism (internal library), but does not include its own configuration screen, routes, menu items, or migrations in the plugin package. The LDAP server parameterization is done by the IONGRADE technical team during installation. The screen paths cited below depend on that integration and may vary according to the environment — confirm with support.
What the plugin does
| Feature | What happens in ACCELERO |
|---|---|
| Operator authentication via LDAP | At login, ACCELERO connects to the LDAP server and tries a bind with the provided username and password. If the bind succeeds, authentication is accepted |
| User query in the directory | The plugin can query the directory (search by uid) using an administrative account, returning the attributes of the user registered in LDAP |
Centralizes operator authentication in the corporate directory (LDAP/Active Directory), avoiding isolated passwords in ACCELERO and taking advantage of the organization's existing password policies.
LDAP authentication applies to operators (users who access the ACCELERO system). It does not handle the people registry or physical access control — only login to the software.
Configuration
The LDAP server configuration is defined by the IONGRADE technical team at the time of the plugin installation. The parameters used by the authentication mechanism (LdapConfiguration class) are:
| Parameter | Description |
|---|---|
Server (server) | Address of the LDAP server to which ACCELERO connects |
Administrator user (adminUser) | Administrative account (root) used to query the directory (cn field of the admin account) |
Administrator password (adminPassword) | Password of the administrative account |
Domain components (dc) | List of domain components (dc) that form the directory base. Ex.: ["empresa", "com"] results in the base dc=empresa,dc=com |
Screen/location where the LDAP server parameters (server, administrator user, password, and domain components) are provided. Confirm with the technical team whether there is a configuration screen in the panel or whether the parameterization is done only in the environment.
Document the exact navigation path of the LDAP configuration and the enablement flow once there is a dedicated screen in the panel. Version 0.0.1 of the plugin does not bring its own views, routes, or interceptors/configuracao.php — the parameterization is external.
How authentication works
The mechanism (LdapFacade class) operates on top of the standard LDAP functions, using LDAP version 3.
Connection
ACCELERO connects to the address configured in Server and pins the protocol to version 3 (LDAP_OPT_PROTOCOL_VERSION = 3).
Authentication bind (operator login)
When authenticating an operator, the plugin builds the user DN in the format:
cn=<user>,ou=users,<domain base>
where <domain base> is derived from the configured dc components (e.g., dc=empresa,dc=com). It then performs a bind with that DN and the provided password:
- Successful bind → authentication accepted.
- Refused bind → authentication denied.
The current version builds the user DN with the fixed organizational unit ou=users. The LDAP directory must expose the users under that OU for the bind to work in the expected format.
User query (directory search)
To query a user's data, the plugin performs an administrative bind (using the Administrator user and the Administrator password) and then runs a search:
- Search base:
ou=users,<domain base> - Filter:
(uid=<user>) - Result: the first record found is returned as a directory user, with its DN and the attributes filled in (each attribute receives the first available value).
If the administrative bind fails, the search returns no result, or an error occurs, the event is recorded in the error log and no user is returned.
Diagram of the login flow: operator provides credentials → ACCELERO connects to LDAP → bind cn=user,ou=users,<dc> → result (accepted/denied).
Use cases
Enable LDAP authentication for the operators
- Request that IONGRADE install the
ldapplugin. - Provide the technical team with the directory data: the server address, the administrator account and password, and the domain components (
dc). - Make sure the operators are registered in LDAP under the
ou=usersOU, with thecn/uidmatching the login user. - Validate the login of a test operator before releasing it for everyone.
Detail the correspondence between the operator's login user in ACCELERO and the cn/uid in LDAP (how the system associates the local operator with the directory record). Confirm with the technical team.
Best practices
- Dedicated administrative account: use a service account with read-only permission on the directory for the queries, instead of a broad administrative account.
- Secure communication: prefer LDAP over TLS (LDAPS) between the ACCELERO server and the directory, so as not to transmit credentials in plain text. Confirm TLS support with the technical team.
- Test operator: keep a test operator in the directory to validate the integration after changes to LDAP.
- Directory structure: keep the operators under the
ou=usersOU expected by the plugin.
Troubleshooting
The operator cannot log in via LDAP
Possible causes:
- The user DN does not match the expected format (
cn=<user>,ou=users,<dc>). - The user is not under the
ou=usersOU in the directory. - Incorrect password or account locked in LDAP.
- LDAP server inaccessible from the ACCELERO server.
Solution:
- Confirm the server address and the network connectivity (LDAP/LDAPS port) between ACCELERO and the directory.
- Check whether the user exists under
ou=usersand whether thecn/uidmatches the login user. - Test the credentials directly in the directory.
User query returns no data
Possible causes:
- The administrative bind failed (incorrect administrator user/password).
- The
(uid=<user>)filter does not find the record. - The search base (
ou=users,<dc>) is incorrect.
Solution:
- Check the configured Administrator user and Administrator password.
- Confirm the domain components (
dc) — the base must reflect the actual structure of the directory. - Consult the ACCELERO error log, where the LDAP error messages are recorded.
Integration with other modules
Operators
LDAP authentication acts on the login of Operators — users who access the ACCELERO system. Check how operators are registered and how their permissions are defined.
If the organization uses Microsoft Entra ID (Azure AD), also consider the Azure OAuth integration as an alternative for operator authentication.
Next Steps
- Operators — Understand operator registration and permissions
- Azure OAuth — Alternative for operator authentication via Microsoft Entra ID
- Plugins — Learn more about the ACCELERO plugin system