Restricting LDAP search permissions in AD2003

["Paul Deasy" <paul.deasy () gmail com>]

I have had a couple of requests to have some internal intranet apps
configured so end-users could login via SSO (authenticating against
our AD2003 database.)

I'm trying to setup an AD2003 user account, which would be used when
configuring the LDAP authentication of the webapp, but I'm a bit
concerned that a basic domain-user level account would be able to do
more than just query the AD database with an LDAP query. I'm trying to
ensure that the useraccount would only be able to check permissions of
a security group.

Does anyone have (or know of) any recommended access controls for such
a user account setup? I want to be sure that this user account cannot
be used to modify user account permissions.

any suggestions would be much appreciated

PaulD