If you can use domain admin, that would be best way to go. We have a KB for setting up an AD domain user with extra permissions however: http://kb.pulsesecure.net/KB2624 the setup for LDAP should be the same. I would recommend using a domain admin account if possible, it is much easier. If the domain user account doesn't have the exact needed permissions, you could have intermittent authentication issues.

Thanks for an answer.

This KB is for kerberos way of integration with AD - in this case Juniper needs to be joined to AD.

But using LDAP service there is no need to join the domain. So it seems it is not necessary to give "Create Computer Objects" and "Delete Computer Objects" privilege to this account, etc..

For the security reasons we can not use domain administrator as service account.

Please could you determine exactly what privilege should this account has?

Is it enough to be only Domain User for AdminDN account for AD LDAP?

Your help is really appreciated.. Thanks,

Hi!

Do you have any suggestions? Have somebody experience with it?

You help is really needed and will be appreciated!

Thanks!

For LDAP based AD integration a simple service account should be enough i.e. an account that can bind to the LDAP server and browse the directory structure (read only) should suffice.

Ruc, thanks for the reply. So, will Domain User be enough? Is it necessary to grant password change rights to the account to allow SSL users to change their password?

Thanks a lot!