What permissions are needed to read Active Directory as LDAP?

Question

The setup:

There is a central AD domain (CENTRAL) and multiple seperate forests, each of which has their own domain (BRANCH1, BRANCH2, BRANCH3)

There are 2-way domain trusts between CENTRAL and all other domains.

An application I'm working on runs on the CENTRAL domain and performs LDAP searches on all domains, using the credentials CENTRAL\ldapreader.

This works perfectly for CENTRAL and BRANCH1, but BRANCH2 and BRANCH3 refuse the connection with an invalid credentials error. If the search instead uses an account in those domains (BRANCH2\ldapreader, etc) then the search works fine.

What level of permissions are needed to read AD as an LDAP server? Everything I've found indicates that this is allowed for AUTENTICATED USERS, which should work fine with CENTRAL\ldapreader due to the two way trust but that isn't the behavior we're getting.

Answer 1

I think the permission you're looking for is "List Contents". You should ensure "CENTRAL\ldapreader" has this permission for BRANCH2 and BRANCH3.

I'm wondering if you set up the trusts with selective authentication or forest-wide authentication and whether you can manualy browse BRANCH2 and BRANCH3.