We are running NAM 4.2.1 with an edirectory user store. Currently the service account to the user store has read only access to the OU where the users are stored. With this setup I am unable to authenticate using the mobile access app (oauth) on a phone. If I make the service account an admin to the user store the mobile access authentication works correctly.

The documentation does not say explicitly what attributes need to be written to: https://www.netiq.com/documentation/...g.html#bcoabgl It does say
If you use X.509 authentication, the admin user needs write rights to update the userís login status attributes.
Does anyone know what the "login status attributes" are or what other attributes NAM needs to write to?

Otherwise, do most people use an admin user to connect to the user store?