This Knowledge Base article provides guidance on managing LDAP (Lightweight Directory Access Protocol) password changes and their potential impact on organization configurations. The customer have LDAP configured on organizational domains with "Administrator Authentication Mechanism = Webfort Password". 

This article outlines best practices for planning and executing LDAP password changes to minimize disruptions.

Release : CA Advanced Authentication  9.1

LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and managing directory services, such as user accounts, within an organization. It is commonly used for user authentication, authorization, and storing user-related information.

While creating an organization in the CA Risk Authentication repository or in your existing LDAP-based directory server, select the mechanism that is used to authenticate administrators who belong to this organization. "Administrator Authentication Mechanism = Webfort Password" Specifies the CA Strong Authentication user name-password authentication method. If you select this option, then the administrator credentials are issued and authenticated by the CA Strong Authentication Server. 

Changing the LDAP password can impact the configuration of organizations that rely on LDAP for user authentication and authorization. Therefore, it is crucial to plan and execute password changes carefully to avoid disruptions and maintain system functionality. Please follow the best practices for planning and executing LDAP password changes to minimize disruptions as below:

• Conduct a thorough assessment to identify all systems, applications, or environments that depend on LDAP for user management.
• Create a comprehensive document outlining the dependencies on LDAP, including which systems or applications use LDAP for authentication and authorization.
• Notify all relevant stakeholders, Clearly communicate the potential impact about the planned LDAP password change.
• Before implementing changes in a production environment, create a controlled test environment that mirrors the production setup.
• Confirm that LDAP-dependent systems and applications can authenticate and function correctly with the new LDAP password in the test environment.
• Develop a rollback plan detailing the steps to revert to the previous LDAP password if any unforeseen issues arise.
• After successfully implementing the LDAP password change, update all relevant configuration documentation to reflect the new LDAP password and any changes made during the process.

When creating an organization in the LDAP repository. Then map the CA Risk Authentication database attributes to the LDAP attributes. The user details for the new organization is stored in the LDAP repository that you specified. When modifying LDAP configurations, collect the LDAP repository details and update them as described in below techdoc: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-0/administrating/administrating-ca-risk-authentication/organizations/creating-and-activating-organizations.html