Which all seems to work fine for my usage with one exception.   If I try to use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now get:

additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL is too weak

Is there some configuration item that I can change to allow that work while maintaining my existing policy of no anonymous binds for everything else, etc?

Thanks,