And you're right, it's used directly by idassert-bind, but your openldap client may not be properly configured when you're testing, this is why I suggested to add a ldaprc file to ensure your tests are relevants.
You have noticed I copied parameters from it.

Validating that it's ok with the client let you eliminate the backend side configuration issues, so you can focus on the proxy configuration then.

As noted by Quanah, OpenLDAP 2.4 is quite old, you'd better swith to a 2.5 or 2.6.
De : fred750164@gmail.com <fred750164@gmail.com>
Envoyé : lundi 20 janvier 2025 20:00
À : openldap-technical@openldap.org <openldap-technical@openldap.org>
Objet : RE: ldap proxy
 
[Vous ne recevez pas souvent de courriers de fred750164@gmail.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]

ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.

In my opinion, the use of the idassert-bind parameter allows the proxy server to use its own certificate for authentication and to transmit its DN via SASL EXTERNAL to the backend server.

The TLS options in this parameter specify the paths to the certificates (CERT,KEY,CA) to be used.

My interpretation may not be correct.