Allowing PingFederate to unlock PingDirectory accounts

When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.

Steps

Create an LDIF file to capture the following ACI information.

OID

Step 1.3.6.1.4.1.42.2.27.8.1.17

Name

pwdAccountLockedTime

Permission

all

Example:

For more information, see the following example file named aci.ldif.

dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)

Use the ldapmodify command to configure the required ACI.

Example:

$ ldapmodify -f  <path>/aci.ldif
-h  <host name>
-p  <LDAP port>
-D  <LDAP bind username>
-w  <LDAP bind password>

Line breaks are inserted for readability only.

Managing Access Control in the PingDirectory Administration Guide

PingFederate Server

Allowing PingFederate to unlock PingDirectory accounts

Steps

Example:

Example:

Related links