Skip to main content

Operator authentication via LDAP

The LDAP plugin lets ACCELERO operators log in by validating their credentials against an external LDAP server (for example, OpenLDAP or Active Directory), instead of relying exclusively on the passwords stored locally in ACCELERO. Authentication is done by LDAP bind: ACCELERO connects to the directory and tries to authenticate the user with the credentials provided at login.

Availability

This integration is provided as a plugin (ldap) and must be installed and enabled by the IONGRADE technical team. Contact support to check compatibility with your ACCELERO version.

Compatibility

Current plugin version: 0.0.1 — compatible with ACCELERO 2.16.0 or higher (according to manifest.json).

Plugin at an early stage

This is version 0.0.1 of the plugin. The current code provides the LDAP connection and authentication mechanism (internal library), but does not include its own configuration screen, routes, menu items, or migrations in the plugin package. The LDAP server parameterization is done by the IONGRADE technical team during installation. The screen paths cited below depend on that integration and may vary according to the environment — confirm with support.


What the plugin does

FeatureWhat happens in ACCELERO
Operator authentication via LDAPAt login, ACCELERO connects to the LDAP server and tries a bind with the provided username and password. If the bind succeeds, authentication is accepted
User query in the directoryThe plugin can query the directory (search by uid) using an administrative account, returning the attributes of the user registered in LDAP
Main benefit

Centralizes operator authentication in the corporate directory (LDAP/Active Directory), avoiding isolated passwords in ACCELERO and taking advantage of the organization's existing password policies.

Scope: operators, not people

LDAP authentication applies to operators (users who access the ACCELERO system). It does not handle the people registry or physical access control — only login to the software.


Configuration

The LDAP server configuration is defined by the IONGRADE technical team at the time of the plugin installation. The parameters used by the authentication mechanism (LdapConfiguration class) are:

ParameterDescription
Server (server)Address of the LDAP server to which ACCELERO connects
Administrator user (adminUser)Administrative account (root) used to query the directory (cn field of the admin account)
Administrator password (adminPassword)Password of the administrative account
Domain components (dc)List of domain components (dc) that form the directory base. Ex.: ["empresa", "com"] results in the base dc=empresa,dc=com
TODO: Add Screenshot

Screen/location where the LDAP server parameters (server, administrator user, password, and domain components) are provided. Confirm with the technical team whether there is a configuration screen in the panel or whether the parameterization is done only in the environment.

TODO: Implement

Document the exact navigation path of the LDAP configuration and the enablement flow once there is a dedicated screen in the panel. Version 0.0.1 of the plugin does not bring its own views, routes, or interceptors/configuracao.php — the parameterization is external.


How authentication works

The mechanism (LdapFacade class) operates on top of the standard LDAP functions, using LDAP version 3.

Connection

ACCELERO connects to the address configured in Server and pins the protocol to version 3 (LDAP_OPT_PROTOCOL_VERSION = 3).

Authentication bind (operator login)

When authenticating an operator, the plugin builds the user DN in the format:

cn=<user>,ou=users,<domain base>

where <domain base> is derived from the configured dc components (e.g., dc=empresa,dc=com). It then performs a bind with that DN and the provided password:

  • Successful bind → authentication accepted.
  • Refused bind → authentication denied.
Expected directory structure

The current version builds the user DN with the fixed organizational unit ou=users. The LDAP directory must expose the users under that OU for the bind to work in the expected format.

To query a user's data, the plugin performs an administrative bind (using the Administrator user and the Administrator password) and then runs a search:

  • Search base: ou=users,<domain base>
  • Filter: (uid=<user>)
  • Result: the first record found is returned as a directory user, with its DN and the attributes filled in (each attribute receives the first available value).

If the administrative bind fails, the search returns no result, or an error occurs, the event is recorded in the error log and no user is returned.

TODO: Add Diagram

Diagram of the login flow: operator provides credentials → ACCELERO connects to LDAP → bind cn=user,ou=users,<dc> → result (accepted/denied).


Use cases

Enable LDAP authentication for the operators

  1. Request that IONGRADE install the ldap plugin.
  2. Provide the technical team with the directory data: the server address, the administrator account and password, and the domain components (dc).
  3. Make sure the operators are registered in LDAP under the ou=users OU, with the cn/uid matching the login user.
  4. Validate the login of a test operator before releasing it for everyone.
TODO: Implement

Detail the correspondence between the operator's login user in ACCELERO and the cn/uid in LDAP (how the system associates the local operator with the directory record). Confirm with the technical team.


Best practices

  • Dedicated administrative account: use a service account with read-only permission on the directory for the queries, instead of a broad administrative account.
  • Secure communication: prefer LDAP over TLS (LDAPS) between the ACCELERO server and the directory, so as not to transmit credentials in plain text. Confirm TLS support with the technical team.
  • Test operator: keep a test operator in the directory to validate the integration after changes to LDAP.
  • Directory structure: keep the operators under the ou=users OU expected by the plugin.

Troubleshooting

The operator cannot log in via LDAP

Possible causes:

  • The user DN does not match the expected format (cn=<user>,ou=users,<dc>).
  • The user is not under the ou=users OU in the directory.
  • Incorrect password or account locked in LDAP.
  • LDAP server inaccessible from the ACCELERO server.

Solution:

  1. Confirm the server address and the network connectivity (LDAP/LDAPS port) between ACCELERO and the directory.
  2. Check whether the user exists under ou=users and whether the cn/uid matches the login user.
  3. Test the credentials directly in the directory.

User query returns no data

Possible causes:

  • The administrative bind failed (incorrect administrator user/password).
  • The (uid=<user>) filter does not find the record.
  • The search base (ou=users,<dc>) is incorrect.

Solution:

  1. Check the configured Administrator user and Administrator password.
  2. Confirm the domain components (dc) — the base must reflect the actual structure of the directory.
  3. Consult the ACCELERO error log, where the LDAP error messages are recorded.

Integration with other modules

Operators

LDAP authentication acts on the login of Operators — users who access the ACCELERO system. Check how operators are registered and how their permissions are defined.

Other authentication integrations

If the organization uses Microsoft Entra ID (Azure AD), also consider the Azure OAuth integration as an alternative for operator authentication.


Next Steps

  • Operators — Understand operator registration and permissions
  • Azure OAuth — Alternative for operator authentication via Microsoft Entra ID
  • Plugins — Learn more about the ACCELERO plugin system