The customer is getting "PAM-CM-0762 Authentication failed" when trying to manage credential for the LDAP binding account. The binding account can be verified but the password can't be changed. 

The account is configured to update its own password.

Tomcat logs message:

javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002035: LdapErr: DSID-0C090F91, comment: Operation not allowed through GC port, data 0, v4563]; remaining name 'CN=CAPAMBindUsr,OU=Users,OU=SysMgt,DC=tus,DC=AMS1907,DC=com'

Release: ALL PAM versions

Component: CA LDAP Server

The customer is using port 3269 to manage the credential for the LDAP binding account instead of port 636.

3269 port is used for queries specifically targeted for the Global Catalog. LDAP requests sent to port 3269 can be used to search for objects in the entire forest. 

On the Target Application/Active Directory changed the port for the Domain Controller Port (SSL) to  636