PingFederate Server

Allowing PingFederate to unlock PingDirectory accounts

When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.

Steps

  1. Create an LDIF file to capture the following ACI information.

    OID

    Step 1.3.6.1.4.1.42.2.27.8.1.17

    Name

    pwdAccountLockedTime

    Permission

    all

    Example:

    For more information, see the following example file named aci.ldif.

    +

    dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)

  2. Use the ldapmodify command to configure the required ACI.

    Example:

    +

$ ldapmodify -f  [.varname]__<path>/__aci.ldif
-h  [.varname]__<host name>__
-p  [.varname]__<LDAP port>__
-D  [.varname]__<LDAP bind username>__
-w  [.varname]__<LDAP bind password>__

+

Line breaks are inserted for readability only.