When the administrative API is protected by LDAP authentication, the API calls must be authenticated by valid LDAP credentials over HTTP Basic authentication; otherwise, the administrative API returns an error message. The LDAP authentication setup, including role assignment, is available via <pf_install>/pingfederate/bin/ldap.properties. The roles assigned to the LDAP accounts affect the results of the API calls.
When LDAP authentication is configured, PingFederate does not lock out accounts based upon the number of failed logon attempts. Responsibility for preventing access is instead delegated to the LDAP server and enforced according to its password lockout settings.