AD (MS Active Directory) is it's usual challenging self. Most LDAP authentication modules assume there is anonymous browsing access. They browse to the user info, and then authenticate the user with a bind attempt. I don't understand why they work that way. If those two activities were reversed, the bind occurred first then the search, you would never need anonymous browse access.
In any case, by default, AD does not allow anonymous browse access, so unless you want to encode a special user name/password in your config files so the module log in to AD, browse to the user info, then bind again with the user info that is trying to authenticate.
It seems incredibly redundant to store a user name and password in config files so we can authenticate everyone, so lets try for a better solution.