Minimum permissions for LDAP integration with AD

I use a regular Domain User account for the LDAP queries. It' s a dedicated account just to do the LDAP queries, so that way even if the account was compromised, it would have almost no other access. I' m not sure if it makes a difference, but this account is in the same OU as the user accounts it is checking. P.S. When my first FortiGate unit was installed by a consultant, it was configured to use a Domain Administrator account (the Administrator account!). I thought this was very poor practice to have such a sensitive account sitting with the password cached in reversible encryption on an Internet facing device. Hence I re-configured it.

Thanks for the info VeeChee ... so just membership of Domain Users then? I will maybe give that a try and see how it goes. I suppose I need to organise an outage window just in case ...

Mine has Domain Users membership and nothing else. And now that I think about it, that user can authenticate from different OUs because I have two FortiGates with two different Domain User accounts to access LDAP (one for each site), but users from either OU are successfully authenticated to FortiGate. I' m sure TechNet has an article addressing the LDAP query access a Domain User is granted to put your concerns to rest.