Allowing PingFederate to unlock PingDirectory accounts - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Product documentation
Guide > Administrator Guide
Guide

When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.

  1. Create an LDIF file to capture the following ACI information.
    OID
    1.3.6.1.4.1.42.2.27.8.1.17
    Name
    pwdAccountLockedTime
    Permission
    all

    For more information, see the following example file named aci.ldif.

    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)
  2. Use the ldapmodify command to configure the required ACI.
    $ ldapmodify -f <path>/aci.ldif 
    -h <host name> 
    -p <LDAP port> 
    -D <LDAP bind username> 
    -w <LDAP bind password>
    Note:

    Line breaks are inserted for readability only.