Sorry if I asked about this before and forgot it...
Could we add an 'access ... by' variant for the client's TLS
certificate, _without_ Bind:SASL/EXTERNAL?
(To the cert's DN, I expect, but I don't know much about
certificates. Maybe there are other things to look at as well.)
That could be used to authenticate a service (an LDAP client)
rather than the user it Binds as, when the service asks the user
for password and Binds with his DN and password.
The simple way to do that is to grant access to the service's IP
address, but that's not always feasible, and gets hard to maintain.