Allowing PingFederate to unlock PingDirectory accounts - PingFederate

Allowing PingFederate to unlock PingDirectory accounts - PingFederate - 11.3

PingFederate Server

bundle

pingfederate-113

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 11.3 (Latest)

category

Administrator

Administratorguide

Audience

Capability

ContentType

DeploymentMethod

Guide

Product

Productdocumentation

SingleSignonSSO

Software

SystemAdministrator

pf-113

pingfederate

ContentType_ce

Product documentation

Guide > Administrator Guide

Guide

When connecting to PingDirectory, you can give the service account access to specific attributes that PingFederate reads or modifies when unlocking user accounts.

Create an LDIF file to capture the following ACI information.

OID: 1.3.6.1.4.1.42.2.27.8.1.17
Name: pwdAccountLockedTime
Permission: all

For more information, see the following example file named aci.ldif.

dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="ds-pwp-auth-failure||pwdAccountLockedTime")(version 3.0; acl "Allow unlock admin to lock and unlock user accounts"; allow (all) userdn="ldap:///uid=ServiceAccount,ou=Applications,dc=example,dc=com";)

Use the ldapmodify command to configure the required ACI.

$ ldapmodify -f <path>/aci.ldif 
-h <host name> 
-p <LDAP port> 
-D <LDAP bind username> 
-w <LDAP bind password>

Note:

Line breaks are inserted for readability only.