The ldap user account doesn’t require elevated privileges. You can use just a regular domain user account. In an attempt to make things a little more secure, I’ve restricted the account to only allow login to the DC that openfire looks at. Of course the user account isn’t a member of any other groups other than domain users. This prevents it from using RDP into the DC. I also denied the account any access to the few shares on that server.
Make an OU in Active Directory called ServiceAccounts.
Create a new account specific for locating users in your AD and put it in the ServiceAccounts OU.
Add the new account to the “Domain Guests” group.
Highlight Domain Guests, and click Make Primary Group.
Remove the account from the Domain Users group.
Set the path to CN=account you made, OU=ServiceAccounts, DC=domain, DC=com
Anyone can search your AD and get details from user accounts. This is why you should never put passwords in any of the fields within an AD user account. By making the search account a Domain Guest only, your ensuring they can’t logon to any PC’s or really do much of anything at all in your domain. I then use this account for all my OSS apps that need it for AD auth.