When the administrative API is protected by LDAP authentication, the API calls must be authenticated by valid LDAP credentials over HTTP Basic authentication; otherwise, the administrative API returns an error message. The LDAP authentication setup, including role assignment, is available via <pf_install>/pingfederate/bin/ldap.properties. The roles assigned to the LDAP accounts affect the results of the API calls.


When LDAP authentication is configured, PingFederate does not lock out accounts based upon the number of failed logon attempts. Responsibility for preventing access is instead delegated to the LDAP server and enforced according to its password lockout settings.

  1. Verify the pf.admin.api.authentication value in <pf_install>/pingfederate/bin/run.properties is set to LDAP.
    Update as needed.
  2. In the <pf_install>/pingfederate/bin/ldap.properties file, change property values as needed for your network configuration.
    See the comments in the file for instructions and additional information.

    Be sure to assign LDAP users or designated LDAP groups (or both) to at least one of the PingFederate administrative roles as indicated in the properties file. For information about permissions attached to the PingFederate roles, see the PingFederate User Access Control table in Configure access to the administrative API.


    When assigning role(s), keep in mind that all LDAP accounts specified in ldap.properties can be used to access the administrative API and the administrative console.


    You can also use this configuration file in conjunction with RADIUS authentication to determine permissions dynamically via an LDAP connection.

  3. Restart PingFederate.

    In a clustered PingFederate environment, you only need to modify run.properties and ldap.properties on the console node.