Minimum settings for binding credentials

[ServerGuy]

Does anyone know what minimum permissions an account needs to have in Active Directory for single sign on to work. In my previous post relating to changing the binding credentials account breaking single sign on we changed the account in question to have more permissions which fixed out issue, however we would like to know what it needs so we dont have an account out there with more permissions than what it actually needs. Any help at all would be great.

Thank you

[Grim]

That all depends on how your AD Admin configured the AD server.

Did they allow anonymous binds?

If they didn't then theoretically/logically speaking you only need an account that has the proper "read" permissions in the AD users branch.

[ServerGuy]

We do not allow anonymous bindings, also because there are so many "read" permissions that can be set i was curious if anyone knew which specific ones needed to be set.

Thanks

[Grim]

We do not allow anonymous bindings, also because there are so many "read" permissions that can be set i was curious if anyone knew which specific ones needed to be set.

Thanks

"Use the credentials of an Active Directory Server user who has search and read privileges for that server."

Taken from the Install and Config guide found here:
http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/index.jsp?topic=/com.ibm.swg.im.cognos.inst_cr_winux.8.4.0.doc/inst_cr_winux_id13896AP_active_dir_srvr.html

That's all it says, so the AD Admin should know what that is.