We are trying to integrate ldap with CAPM, However, during testing it gives following error. Please help me fix this.

Error:

Could not obtain a DirectoryContext.
javax.naming.NamingException: [LDAP: error code 1 - The provided value "x_xxxxxxxx" could not be parsed as a valid distinguished name because the underscore character is not allowed in an attribute name unless the ds-cfg-allow-attribute-name-exceptions configuration option is enabled]

Bind to the directory failed.

• Here the user bind parameter was disabled so the user did not bind correctly with LDAP.
• Also this was a service account and not a standard user, so was not found as a valid LDAP user after a successful connection to LDAP.
• The user represented by x_xxxxxxx has an underscore in it, so if possible, choose an integration user without an underscore.  This is not typically a disallowed character in LDAP user name despite the error message and we were able to use it after resolving the first 2 causes.

LDAP user names typically consist of letters, numbers, and certain special characters. The specific characters allowed may vary depending on the LDAP server and implementation. Commonly allowed characters include lowercase and uppercase letters, numbers, and underscores, while characters like commas, plus signs, and backslashes may require escaping in certain contexts. 

Launch SsoConfig by running the ./SsoConfig command in the <installation_directory>/PerformanceCenter directory.

SSO Configuration/DX NetOps:
1. LDAP Authentication
2. SAML2 Authentication
3. NetOps Portal
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
7. NetOps Portal Local Password Authentication
8. Enable or Disable a user account.

Option 1 allows us to configure the integration.

Connection User: cn=<LDAP user as per LDAP hierarchy>
Connection Password: **********  
Search Domain: <LDAP search domain>
Search String: saMAccountName={0}
Search Scope: subtree
User Bind: Enabled
Encryption: Simple
Account User: {saMAccountName}
Account User Default Clone: user      <Name of the account you want to clone when the user being authenticated does not exist yet and Portal creates an account for it>
Group:
Krb5ConfigFile:
Status: Enabled
Timeout: 10000

Option 5 will allow us to test LDAP users but we should not use service accounts here.  While the service account here authenticated with LDAP in option 1, it failed option 5 but other LDAP users were successful.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/24-3/administrating/performance-center-administration/configure-users-for-internal-communications.html