Users imported from Active Directory are not able to logon. They get error message that credentials are invalid.

Because you would like users to logon with their User Principal Name (= email address) the CDE settings are often changed to reflect this, yet the Unique user ID should remain mapped to sAMAccountName.

<Please see attached file for image>

-- Leave the Attributes Mapping as is unless instructed otherwise by CA personnel.

-- Leave the UserDNPattern empty

-- if logon still fails, try to logon with the  sAMAccountName (domain\userid) format

Also review folliowing discussion: https://communities.ca.com/docs/DOC-231169152  

It contains a pdf that describes the LDAP/AD integration in great detail and other useful information as well.