When you first log in to the console, and you type in your ID, the directory server has no credentials, and has to perform an anonymous search for uid=youruid to find your BIND DN. This is the same as when you log in to the operating system - pam has to do a search like uid=youruserid as anonymous to find your BIND DN. Not sure why selecting Use SSL in Console would fix that.