diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ldap/LdapProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ldap/LdapProperties.java
index 3434507a687..6425099fe04 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ldap/LdapProperties.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ldap/LdapProperties.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -56,9 +56,10 @@ public class LdapProperties {
 	private String password;
 
 	/**
-	 * Whether read-only operations should use an anonymous environment.
+	 * Whether read-only operations should use an anonymous environment. Disabled by
+	 * default unless a username is set.
 	 */
-	private boolean anonymousReadOnly;
+	private Boolean anonymousReadOnly;
 
 	/**
 	 * LDAP specification settings.
@@ -97,11 +98,11 @@ public class LdapProperties {
 		this.password = password;
 	}
 
-	public boolean getAnonymousReadOnly() {
+	public Boolean getAnonymousReadOnly() {
 		return this.anonymousReadOnly;
 	}
 
-	public void setAnonymousReadOnly(boolean anonymousReadOnly) {
+	public void setAnonymousReadOnly(Boolean anonymousReadOnly) {
 		this.anonymousReadOnly = anonymousReadOnly;
 	}
 
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ldap/LdapAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ldap/LdapAutoConfigurationTests.java
index 71c05032024..579944dce91 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ldap/LdapAutoConfigurationTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ldap/LdapAutoConfigurationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,7 +50,7 @@ class LdapAutoConfigurationTests {
 		this.contextRunner.run((context) -> {
 			LdapContextSource contextSource = context.getBean(LdapContextSource.class);
 			assertThat(contextSource.getUrls()).containsExactly("ldap://localhost:389");
-			assertThat(contextSource.isAnonymousReadOnly()).isFalse();
+			assertThat(contextSource.isAnonymousReadOnly()).isTrue();
 		});
 	}
 
@@ -73,6 +73,15 @@ class LdapAutoConfigurationTests {
 				});
 	}
 
+	@Test
+	void contextSourceWithUserDoesNotEnableAnonymousReadOnly() {
+		this.contextRunner.withPropertyValues("spring.ldap.username:root").run((context) -> {
+			LdapContextSource contextSource = context.getBean(LdapContextSource.class);
+			assertThat(contextSource.getUserDn()).isEqualTo("root");
+			assertThat(contextSource.isAnonymousReadOnly()).isFalse();
+		});
+	}
+
 	@Test
 	void contextSourceWithExtraCustomization() {
 		this.contextRunner.withPropertyValues("spring.ldap.urls:ldap://localhost:123", "spring.ldap.username:root",
@@ -96,7 +105,7 @@ class LdapAutoConfigurationTests {
 			LdapContextSource contextSource = context.getBean(LdapContextSource.class);
 			assertThat(contextSource.getUserDn()).isEqualTo("");
 			assertThat(contextSource.getPassword()).isEqualTo("");
-			assertThat(contextSource.isAnonymousReadOnly()).isFalse();
+			assertThat(contextSource.isAnonymousReadOnly()).isTrue();
 			assertThat(contextSource.getBaseLdapPathAsString()).isEqualTo("");
 		});
 	}
@@ -112,7 +121,7 @@ class LdapAutoConfigurationTests {
 		this.contextRunner.withUserConfiguration(PooledContextSourceConfig.class).run((context) -> {
 			LdapContextSource contextSource = context.getBean(LdapContextSource.class);
 			assertThat(contextSource.getUrls()).containsExactly("ldap://localhost:389");
-			assertThat(contextSource.isAnonymousReadOnly()).isFalse();
+			assertThat(contextSource.isAnonymousReadOnly()).isTrue();
 		});
 	}
 
diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle
index 121c82c14bb..8ee5e9c28f8 100644
--- a/spring-boot-project/spring-boot-dependencies/build.gradle
+++ b/spring-boot-project/spring-boot-dependencies/build.gradle
@@ -1662,7 +1662,7 @@ bom {
 			]
 		}
 	}
-	library("Spring LDAP", "2.3.2.RELEASE") {
+	library("Spring LDAP", "2.3.3.RELEASE") {
 		group("org.springframework.ldap") {
 			modules = [
 				"spring-ldap-core",