I've set up SSSD and openldap to successfully query ldaps://ldap.google.com. I can use ldapsearch to perform queries and can interact with the directory using both sssctl and getent. Unfortunately all my attempts to authenticate as a user in the directory are met with the INVALID_CREDENTIALS (ldap error code 49). I've reproduce this behavior using a number of clients. I can observe these failures in the LDAP audit log within the GSuite admin console as
LDAP bind with uid=brian,ou=Users,dc=XXX,dc=com failed with INVALID_CREDENTIALS.
My account does have 2 factor enabled but I'm using an application specific password to try and authenticate myself. I've quadruple-checked the password and even created a new one just to test this out. The Google ldap server is behaving as though it can't authenticate.
Any ideas how I can set up secure external authentication against ldap.google.com?