Allowing PingFederate to unlock PingDirectory accounts
When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.
Steps
-
Create an LDIF file to capture the following ACI information.
- OID
-
Step 1.3.6.1.4.1.42.2.27.8.1.17
- Name
-
pwdAccountLockedTime
- Permission
-
all
Example:
For more information, see the following example file named
aci.ldif
.dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)
-
Use the
ldapmodify
command to configure the required ACI.Example:
$ ldapmodify -f <path>/aci.ldif -h <host name> -p <LDAP port> -D <LDAP bind username> -w <LDAP bind password>
Line breaks are inserted for readability only.