Allowing PingFederate to unlock PingDirectory accounts - PingFederate

Allowing PingFederate to unlock PingDirectory accounts - PingFederate - 11.1

PingFederate Server

bundle

pingfederate-111

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 11.1

category

Administrator

Audience

Capability

DeploymentMethod

Product

SingleSignonSSO

Software

SystemAdministrator

pf-111

pingfederate

ContentType_ce

When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.

Create an LDIF file to capture the following ACI information.

OID: 1.3.6.1.4.1.42.2.27.8.1.17
Name: pwdAccountLockedTime
Permission: all

For more information, see the following example file named aci.ldif.

dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)

Use the ldapmodify command to configure the required ACI.

$ ldapmodify -f <path>/aci.ldif 
-h <host name> 
-p <LDAP port> 
-D <LDAP bind username> 
-w <LDAP bind password>

Note:

Line breaks are inserted for readability only.