Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
To communicate with the LDAP server, the controller tries to use tcp port 636 (LDAPS) first. If unsuccessful, the controller tries start_TLS over port 389. Both require that the server has an SSL/TLS certificate.
If that is unsuccessful and if "cleartext ==yes", the controller tries tcp port 389 in the cleartext.
This algorithm is true at the transport layer level. When any of the TCP connections described here is successful, the switch expects that the configured LDAP credentials are valid to allow an LDAP bind. Successful LDAP bind is followed by a user search based on the configured key attribute and base DN.
The controller uses the user DN and the password entered by that user to attempt a "user bind". If this is successful, the controller returns back with an authentication successful message. If the admin bind was successful using port 636, the same is used for user authentication, and there will be no fall back.