Rich Megginson wrote:

When you first log in to the console, and you type in your ID, the 
directory server has no credentials, and has to perform an anonymous 
search for uid=youruid to find your BIND DN.  This is the same as when 
you log in to the operating system - pam has to do a search like 
uid=youruserid as anonymous to find your BIND DN.  Not sure why 
selecting Use SSL in Console would fix that.

It does not /have/ to perform an anonymous bind, it can do a proxy bind. PAM supports this as well, just by providing it with a 'binddn' and 'bindpw' in /etc/ldap.conf.

The console should also support proxy authentication.

-Brandon