One of the authentication methods in CA PAM is LDAP. However, LDAP passwords may expire and one may be interested in allowing PAM LDAP users to change their password via PAM in case of expiration and still bind to LDAP with an account having minimal rights to allow this operation to succeed. Reason for this is not to have to use an Administrator account to connect to LDAP from PAM and thus minimize the risk of attack.
CA Privileged Access management 3.3.X and 3.4.X
To change the password of an LDAP account while connecting to PAM, if this account has its password expired, the following conditions must be met: