[389-users] anonymous access

[Techie]

Hello,
I am trying to altogether eliminate anonymous access to my directory.
However in doing this my authentication fails unless....I add a binddn
and bindpw to the ldap.conf on the clients.
As I understand it "bindpw" is inappropriate according to the OpenLDAP
architects.

So my situation right now looks like this. I have a ldap.conf
populated with a binddn and bindpw entry.
This allows me to remove anonymous access and authenticate to the
directory with ldap user credentials.
This is what I want, I just do not want to store a username and pass
in the ldap.conf file.

However if I remove this binddn and bindpw entry, and I disallow
anonymous access, I am unable to authenticate against the directory
using ldap user credentials. Even though upon attempting to login i am
supplying valid LDAP user credentials it cannot find the user because
it initially binds as "nobody"  or 'dn=""  in the access log and is
unable to locate attributes do to the lack of anonymous access.

Is there a way to have LDAP use the credential of the user logging in
to bind to the directory initially.
What are my options?
I can force SASL GSSAPI but it it not ideal in my situation.

Thank you