This sounds like it is related to the LDAP_SEARCH_USER_CRITERIA site parameter.
When users attempt to log in to ALM, they are authenticated against LDAP using the distinguished
names (DN) that are stored in the Domain Authentication property in the ALM database. Using this site parameter, you can enhance the search so that when the DN information is invalid, ALM also searches on the LDAP server, using the LDAP import settings defined in Site Administration. If the user is found,the DN is updated in ALM, and an automatic login attempt is performed.
If you do not wish to have the Domain Authentication property updated, remove the LDAP_SEARCH_USER_CRITERIA site parameter.