pam_ldap read not auth on userPassword

Redhat EL5, Openldap 2.3, nss_ldap 2.53, Zimbra 5

Problem:
When ssh'ing to a system, auth fails unless I enable read permission for
anonymous on attrs=userPassword.

If I have:
access to attrs=userPassword
     by self write
     by anonymous auth

Authentication fails. If I change that to:
access to attrs=userPassword
     by self write
     by anonymous read

Authentication succeeds.

The ldap server logs show a bind as "anonymous", an attempt to read
userPassword, and then nothing. I see no subsequent attempt to re-bind as
the dn found in the initial search.

Here is the log of a failed connection:

Jun 30 14:04:47 mail slapd[22254]: conn=20 op=0 BIND dn="" method=128
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=0 RESULT tag=97 err=0 text=
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SRCH
base="ou=People,dc=example,dc=com" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=dstahl))"
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SRCH attr=uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=

There is no subsequent rebinding as user dstahl.

I know I've missed something obvious but for the life of me I can not find
it.

If you need additional logs or other information please let me know.

Thanks in advance,
-Don