---
title: Enabling LDAP authentication
description: When the administrative application programming interface (API) is protected by Lightweight Directory Access Protocol (LDAP) authentication, the API calls must be authenticated by valid LDAP credentials over HTTP Basic authentication; otherwise, the administrative API returns an error message.
component: pingfederate
version: 13.1
page_id: pingfederate:developers_reference_guide:pf_enable_ldap_authen
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_enable_ldap_authen.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: November 24, 2022
section_ids:
about-this-task: About this task
steps: Steps
---
# Enabling LDAP authentication
When the administrative application programming interface (API) *(tooltip: \
\
A specification of interactions available for building software to access an application or service.\
\
)* is protected by Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\
An open, cross platform protocol used for interacting with directory services.\
\
)* authentication, the API calls must be authenticated by valid LDAP credentials over HTTP Basic authentication; otherwise, the administrative API returns an error message.
## About this task
The LDAP authentication setup, including role assignment, is available through `/pingfederate/bin/ldap.properties`. The roles assigned to the LDAP accounts affect the results of the API calls.
| | |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | When you configure LDAP authentication, PingFederate does not lock out accounts based upon the number of failed sign-on attempts. The LDAP server is responsible for preventing access and is enforced according to its password lockout settings. |
## Steps
1. In the `/pingfederate/bin/run.properties` file, set the value of the `pf.admin.api.authentication` property to `LDAP`.
| | |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | You can configure PingFederate to support both `LDAP` authentication and OAuth 2.0 authorization by specifying two values separated with a comma. For example, specify `pf.admin.api.authentication=OAuth2,LDAP`. Supporting two authentication methods is helpful when you want to change applications from one method to another. For more information about supporting two authentication methods, see the description of `pf.admin.api.authentication` in [Configuring PingFederate properties](../administrators_reference_guide/pf_config_pf_propert.html). |
2. In the `/pingfederate/bin/ldap.properties` file, change property values as needed for your network configuration. For instructions and additional information, see the comments in the file.
| | |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | Remember to assign LDAP users or designated LDAP groups, or both, to at least one of the PingFederate administrative roles, as indicated in the properties file. For information about permissions attached to the PingFederate roles, see the PingFederate User Access Control table in [Configure access to the administrative API](pf_config_access_to_admin_api.html). |
| | |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | When you assign roles, remember that all LDAP accounts specified in `ldap.properties` can access the administrative API and the administrative console. |
| | |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| | You can also use this configuration file in conjunction with RADIUS authentication to determine permissions dynamically with an LDAP connection. |
3. Restart PingFederate.
| | |
| - | ---------------------------------------------------------------------------------------------------------------------------- |
| | In a clustered PingFederate environment, you only need to modify `run.properties` and `ldap.properties` on the console node. |