Users imported from Active Directory are not able to logon. They get error message that credentials are invalid.
Because you would like users to logon with their User Principal Name (= email address) the CDE settings are often changed to reflect this, yet the Unique user ID should remain mapped to sAMAccountName.
<Please see attached file for image>
-- Leave the Attributes Mapping as is unless instructed otherwise by CA personnel.
-- Leave the UserDNPattern empty
-- if logon still fails, try to logon with the sAMAccountName (domain\userid) format
Also review folliowing discussion: https://communities.ca.com/docs/DOC-231169152
It contains a pdf that describes the LDAP/AD integration in great detail and other useful information as well.