I have zimbra authenticating against my Active Directory domain. In fact it works against my fail-over setup (I just give it the two IPs for the two Domain Controllers, no hassle).

I also have it autoprovisioning against the domain.

However, it's using the administrator account (for academic purposes right now).

The lasting solution is a dedicated account. What are the bare minimum permissions the domain account needs on the domain end to achieve both auth checks and autoprov LDAP queries?

I'm hoping not domain admin, but if that's what it takes, so be it.