One of the authentication methods in CA PAM is LDAP. However, LDAP passwords may expire and one may be interested in allowing PAM LDAP users to change their  password via PAM  in case of expiration and still bind to LDAP with an account having minimal rights to allow this operation to succeed. Reason for this is not to have to use an Administrator account to connect to LDAP from PAM and thus minimize the risk of attack.

CA Privileged Access management 3.3.X and 3.4.X

To change the password of an LDAP account while connecting to PAM, if this account has its password expired, the following conditions must be met:

• The account having an expired password must be able able to change its own password
• The account doing the bind to Active Directory/LDAP must have the right to see the users' attributes in the directory
• The account doing the bind to Active Directory/LDAP must have the rights to reset passwords 
• AD must have SSL enabled (that means also a certificate to be able to connect to it securely). If SSL is not enabled it won't be possible to authenticate to AD and proceed with password change