Sorry if I asked about this before and forgot it...
Could we add an 'access ... by' variant for the client's TLS certificate, _without_ Bind:SASL/EXTERNAL? (To the cert's DN, I expect, but I don't know much about certificates. Maybe there are other things to look at as well.)
That could be used to authenticate a service (an LDAP client) rather than the user it Binds as, when the service asks the user for password and Binds with his DN and password.
The simple way to do that is to grant access to the service's IP address, but that's not always feasible, and gets hard to maintain.