---
title: Creating an LDAP Username Password Credential Validator instance
description: You can create an LDAP username password credential validator (PCV) in the PingFederate administrative console to create a second factor for multi-factor authentication (MFA).
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_creat_ldap_username_pass_credent_validat_instanc
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_creat_ldap_username_pass_credent_validat_instanc.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: May 10, 2023
section_ids:
  about-this-task: About this task
  steps: Steps
  related-links: Related links
---

# Creating an LDAP Username Password Credential Validator instance

You can create an LDAP username password credential validator (PCV) in the PingFederate administrative console to create a second factor for multi-factor authentication (MFA).

## About this task

Administrators must authenticate successfully against the first factor, such as a directory server where the administrator accounts, credentials and group memberships are stored. To fulfill this requirement, you need an LDAP connection from PingFederate to your directory server, and an instance of the LDAP Username Password Credential Validator.

## Steps

1. Go to **System > Data & Credential Stores > Password Credential Validators**. On the **Password Credential Validators** window, click **Create New Instance**.

2. On the **Type** tab, from the **Type** list, select the **LDAP Username Password Credential Validator** and complete the **Instance Name** and **Instance ID** fields.

3. On the **Instance Configuration** tab, from the **LDAP datastore** list, select the datastore and complete the **Search Base** and **Search Filter** fields.

   For more information about each field, see the following table.

   | Field                    | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
   | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | LDAP Datastore(Required) | The LDAP datastore configured in PingFederate.If you have not configured the server to communicate with the LDAP directory server you need, click **Manage Data Stores**.There is no default selection.                                                                                                                                                                                                                                                                    |
   | Search Base(Required)    | The location in the directory server where the search begins.This field has no default value.                                                                                                                                                                                                                                                                                                                                                                              |
   | Search Filter(Required)  | The LDAP query to locate a user record.If your use case requires the flexibility of allowing users to identify themselves using different attributes, you can include these attributes in your query. For instance, the following search filter allows users to sign on using either the `sAMAccountName` or `employeeNumber` attribute value through the HTML Form Adapter:`(\|(sAMAccountName=${username})(employeeNumber=${username}))`This field has no default value. |
   | Scope of Search          | The level of search to be performed in the search base.**One Level** indicates a search of objects immediately subordinate to the base object, not including the base object itself. **Subtree** indicates a search of the base object and the entire subtree within the base object distinguished name.The default selection is **Subtree**.                                                                                                                              |
   | Case-Sensitive Matching  | The option to enable case-sensitive matching between the LDAP error messages returned from the directory server and the **Match Expression** values specified on this window\.This checkbox is selected by default.                                                                                                                                                                                                                                                        |

4. On the **Extended Contract** tab, click **Next** to skip to the **Summary** tab.

5. On the **Summary** tab, review the configuration, modify as needed, and then save the configuration.

## Related links

* [Managing datastores](pf_managing_datastores.html)

* [Configuring the LDAP Username Password Credential Validator](pf_configure_ldap_username_pcv.html)