Giving admin_all_objects is not an advisable solution. This gives people way more permission than they need to get LDAP search working and I agree with @sayantabasak .  This is what that capability gives people access to do and should only be limited to administrators: admin_all_objects Lets the user access and modify any object in the system regardless of any restrictions set in the objects. For example user objects, search jobs, reports, and knowledge objects. Lets the user bypass any ACL restrictions, much the way root access in a *nix environment does.   I was able to give my Analysts access to run LDAP queries by adding the following capabilities to their analyst user role: list_settings list_storage_passwords Here is the access list_settings and list_storage_passwords provide. During troubleshooting, I discovered both are required and allows the users to perform gets for the password (to authenticate to AD), but it does not allow them to POST (or write to) the password as the admin_all_objects does and is not required: list_settings Lets the user list and view server and introspection settings such as the server name, log levels, etc. list_storage_passwords Lets the user list and view the /storage/passwords endpoint, lets the user perform GETs. The admin_all_objects capability must be added to the role for the user to perform POSTs to the /storage/passwords endpoint.   To view more on roles @3DGjos, please see the following page on Splunk Docs: https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Rolesandcapabilities   ... View more