I'm configuring SSSD on a system to authenticate users against the LDAP server.

LDAP server side: 

there are basically three options for the anonymous binding flag, 0 for completely disallow anonymous binding, 1 allows anonymous binding, 2 allows anonymous bind but allows only search operations on root DSE entry for anonymous users

SSSD side:

I'm providing the ldap_default_bind_dn and ldap_default_bind_authtok for the binding. 

Tests:

1) if admin changes the anonymous binding flag to "COMPLETELY DISALLOW" or "ONLY ALLOW DSE", the authentication against LDAP server doesn't work

from the sssd log, the sssd has marked the LDAP server as "working", but the sssd can't find the user in ldap

2) if admin sets anonymous binding flag to "ALLOW ANONYMOUS BINDING", the authentication against LDAP server works

The only difference between test 1) and test 2) is the anonymous binding flag.

I'm expecting that if I provide binding dn and binding password in the sssd.conf, the server could turn off the anonymous completely or at least partially. Is there an known issue around this ? 

version: sssd-1.9.2 

Thanks,

Aaron