Environment
NetIQ Access Manager 4.3
Situation
NAM Identity Server has LDAP user and admin connections ... the LDAP admin connections are used to search for the users FDN and any attributes required by the user. The LDAP user connections are simply used to do the bind and validate users credentials.
With NAM 4.3, with a lot of logins in quick succession, we see requests for the user CN go over the user connection. With ADLDS, the user does not have any rights to read the cn attribute for themselves and this causes login failures.
Looking at LAN trace during the login failure, we see the problem search query on user connection for CN attribute with an LDAP rebind option. This LDAP rebind option seems to trigger the search request for the users CN attribute.
Resolution
Assign the user read rights to their own cn attribute.