Hi codeape-
Firstly, sssd.conf is where I point nssswitch.conf to for sources of LDAP authentication. In fact, my ldap.conf has no authentication credentials in it at all. Please note that sssd.conf also supplants nslcd.conf and that's even what RedHat themselves say your should be using. I have the nslcd daemon turned off and the sssd daemon switched on.
Secondly, if TLS is used and a proxy user with read-only permissions to the LDAP database is used, that's as good as it gets. I agree, in principle I don't like storing passwords in cleartext in configuration files, but it is what it is. Best practice as far as I can see is to create a read-only user (mine is simply called "authenticate") as a stepping-stone to facilitate authentication. It is this user which is specified in files like pam_ldap.conf.
I have some LDAP stuff on client authentication & troubleshooting I pulled off my wiki and stuck on my blog you might want to look at:
http://blog.f1linux.com/2013/04/21/h...oubleshooting/
http://blog.f1linux.com/2013/04/21/h...oubleshooting/
If anybody sees any errors, omissions or potential enhancements to the above referenced documents, lemme know and I'll update it. Hope this helps you out-
Terrence