Using a binduser with password to read from LDAP/AD is common. Using the memberOf=Group attribute for authing is common, too. Both in combination can be a major fuckup: when your binduser is seeing the whole LDAP tree, except the memberOf attributes. Ok, rewrite your authing. Ok, do that once, twice, more often .. for every single service changing ootb auth to something non common. No no no, I don't buy that.

Well, I searched for ages, but the I found a vague hint, that enabling

"Pre Windows 2000 Compatibility" 

might help. An really, this info is digged up from the bottoms of the interwebbs. Golden needle in a haystack!

Enable the darn stopid named checkbox, and hey, finally you binduser can read what you binduser should be able to read anyways.