LDAP API security change caused regression in LDAP group sync

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/41827

In 10.4.3 (and backports to 10.3 and 10.2) we released a change restricting the LDAP API to admins only. However, some LDAP API endpoints are used by JS to facilitate autocomplete/choosing an LDAP group for LDAP group synchronization. After this security change, group owners are no longer able to configure LDAP group sync due to a 403 forbidden JS error.

Steps to reproduce

1. Setup LDAP with group base.
2. Create a new group as a non-admin.
3. Go to Settings -> LDAP synchronizations
4. Attempt to search for an LDAP group.
5. Observe no results found. JS console shows 403 errors.

The specific endpoint this form uses is /api/v4/ldap/ldapmain/groups.json.

cc/ @stanhu Looks like you were involved with the security release so probably have some background here. Thoughts?