The RSTS LDAP connector requires a full ‘user’ object from the AD LDS directory to successfully bind as it must perform a simple bind; this is because we are not only authenticating the user but also querying the directory to retrieve extra attributes as claims to pass to Cloud Access Manager and onto backend applications.
If the user’s object is type ‘ForeignSecurityPrincipal’ (i.e. it was imported or synced to the directory from elsewhere) then these attributes will not be present and so although authentication could be supported with an NTLM bind, further functionality like authorisation via role population and even displaying a friendly name may not be possible.
For further info on AD LDS bind types please see the following link:
Use an AD LDS user with object type of ‘User’ for the directory bind (type ‘ForeignSecurityPrincipal’ will not work).
The user must also be a member of the Reader’s role in AD LDS and they must be defined using distinguishedName in the Cloud Access Manager LDAP authenticator UI.