---
title: Allowing PingFederate to unlock PingDirectory accounts
description: When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.
component: pingfederate
version: 13.0
page_id: pingfederate:administrators_reference_guide:pf_allow_pf_to_unlock_pd_accounts
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_allow_pf_to_unlock_pd_accounts.html
revdate: February 6, 2023
section_ids:
  steps: Steps
  related-links: Related links
---

# Allowing PingFederate to unlock PingDirectory accounts

When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.

## Steps

1. Create an LDIF file to capture the following ACI information.

   * OID

     Step 1.3.6.1.4.1.42.2.27.8.1.17

   * Name

     pwdAccountLockedTime

   * Permission

     all

     **Example:**

     For more information, see the following example file named `aci.ldif`.

     ```
     dn: ou=People,dc=example,dc=com
     changetype: modify
     add: aci
     aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)
     ```

2. Use the `ldapmodify` command to configure the required ACI.

   **Example:**

   ```shell
   $ ldapmodify -f  <path>/aci.ldif
   -h  <host name>
   -p  <LDAP port>
   -D  <LDAP bind username>
   -w  <LDAP bind password>
   ```

   |   |                                                |
   | - | ---------------------------------------------- |
   |   | Line breaks are inserted for readability only. |

## Related links

* [Managing Access Control](https://docs.pingidentity.com/pingdirectory/10.3/managing_access_control/pd_ds_manage_access_control.html)