An Authentication Manager administrator attempted to change an LDAP user's password in the Security Console, or
A user attempted to change their own LDAP password through the agent, but the external identity source directory user ID does not have write permissions into LDAP.
If you want your deployment to allow updates to Windows passwords through the RSA Security Console or through Windows agents,
From the Operations Console, navigate to Deployment Configuration > Identity Sources > Manage Existing and click on the identity source that you wish to update.
Select Edit. Scroll to the Identity Source Directory Connection and define an external identity source user ID account, also called a binding account, that has write permissions to the AD.
Use LDAPS (with a certificate) for the identity source directory connection (Deployment Configuration > Identity Source Certificates > Add New). For more information, please review this article on Identity Source SSL Certificates.