I'm new and stupid, but why not just put an admin account in ldap
Many sites choose to do exactly this. It depends whether you consider an
ACL override capability more useful (which it argubly is) or dangerous
(which it argubly is).
One question I pose to the list in light of recent features: Let's say you
use (2.4, ACL-aware) back-config and totally flub the ACL config. This
should be correctable with the rootdn (which will trump the broken ACL
config). If you choose to not configure a rootdn, do you find yourself in
a mandatory restart situation that might otherwise be avoided?