When configuring LDAP set the "Account User Default Clone" user to the same value set for the "Account User" field.
Normally in most common AD based LDAP implementations the value used might be:
- Account User: {sAMAccountName}
- Account User Default Clone: {sAMAccountName}
By doing this if a user tries to login it will fail if they don't already have an account set up.
To allow that user to login, a Performance Management (PM) administrator must create an account for the user with a user name that is the same as the user's network username coming from LDAP.
The new user created must have an "Authentication Type" of "External".
Once this is done the user will be able to successfully login with their network credentials.
This is a best practice settings change you can follow if you wish to control who can log into PM.