What type of account is needed for LDAP integration?

The correct choice is an LDAP bind account with READ ONLY access, as this type of account is specifically designed for integrating with LDAP (Lightweight Directory Access Protocol) directories. When integrating CyberArk with an LDAP directory, it is essential to authenticate users and retrieve information without compromising security.

Using a bind account with read-only access ensures that the system can query the directory for user credentials and attributes without granting excessive permissions that could lead to potential security risks. This limits the account's actions to only what is necessary for authentication and user information retrieval, aligning with the principle of least privilege.

Options that suggest a domain administrator or service account with full access imply a broader range of permissions, which is unnecessary and even risky for the purpose of LDAP integration. Such accounts could expose sensitive directory data if misconfigured or compromised. An admin account for all users is also not appropriate, as it could lead to overprivileged access across the system. In contrast, a bind account specifically tailored for read-only access strikes a balance between functionality and security, making it the ideal choice for LDAP integration with CyberArk.