FW Services to allow for AD / LDAP only

Question

Hey guys, 
 
 I just need a sanity check. 
 
 I have a IPSEC tunnel between our Sophos and an outside supplier - the Supplier needs to be able to access my AD to pull users / passwords for a shared application. 
 I want to restrict them to only getting to AD for those things. 
 So in servies I have removed ANY and replaced with LDAP, DNS, UDP, TCP and ICMP only - is that all is required for them to be able to still access AD but without full access? 
 ** ICMP is only for monitoring / troubleshooting :-)

HuberChristian · Accepted Answer

For LDAP, you usually need TCP389 and for LDAPS it's 636. That's all you need to get this work.