Vikash Vikash.Singh
Theoretically, if we are not using any PASSWORD SERVICES functionality then a read only AD should work. But this is something CA would not have tested. Hence though we may be using an AD which succeeds on the criterion of Support Matrix Compatibility Check, if we run into issues CA would have the right to highlight this factor of a Read Only AD (not tested / not supported).
A read only AD may suffice in the scenario where we are not using CA SSO Password Policy and we are not utilizing inbuilt AD Password Services (and / or AD Enhanced Password Services). But again there may be scope creeps. What do I mean by that, 'what if AD has set an account as must change password and user logs in'? So if I see in overall perspective you may end up having to need some level of RW access.
But whatever you opt to choose, test it comprehensively to avoid pitfalls.