Allowing PingFederate to unlock PingDirectory accounts
When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.
Steps
-
Create an LDIF file to capture the following ACI information.
- OID
-
Step 1.3.6.1.4.1.42.2.27.8.1.17
- Name
-
pwdAccountLockedTime
- Permission
-
all
Example:
For more information, see the following example file named
aci.ldif
.+
dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)
-
Use the
ldapmodify
command to configure the required ACI.Example:
+
$ ldapmodify -f [.varname]__<path>/__aci.ldif -h [.varname]__<host name>__ -p [.varname]__<LDAP port>__ -D [.varname]__<LDAP bind username>__ -w [.varname]__<LDAP bind password>__
+
Line breaks are inserted for readability only. |