In order to minimise disruption when the password for the credentials used, how can updates to the way EEM binds to an external LDAP Directory server be automated?

Release : 17.2

Component : CA Embedded Entitlements Manager

To connect to an external LDAP source we must use a BIND; EEM is, at heart, an LDAP browser. It can't use web services to connect to the remote LDAP.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/other/Embedded-Entitlements-Manager/12-6/configuring/ca-eem-server-user-stores-configuration.html

For some environments, no password is needed - this is an "Unauthenticated Bind" and is possible in versions of Microsoft Active Directory prior to 2019. That release added the option for AD admins to prevent unauthenticated access, by setting DenyUnauthenticatedBind=1 . In that situation, you would need a process that:

1) Stops EEM on all nodes

2) create a "munged" version of the password with 

safex.exe -munge "passwordstring"

3) Insert that into the EmbeddedEntitlementsManager\config\server\server.xml file on all nodes

4) Restarts EEM.