It seems there is no interest in this. That's disappointing but not unexpected. Personally, I find it reckless that slapd would accept and process packets from parties that would happily take a flame thrower to your server if it got them any advantage.
I would strongly encourage the OpenLDAP team to properly validate PKI client certificates and CLOSE THE CONNECTION if the client fails authentication.
I have made one proposal about how to add this functionality but I'm sure there are many ways to approach it.
In the mean time, I will continue using the proxy in front of slapd and would strongly recommend anyone using client certs for authentication without a dedicated CA to do the same.
In all other repects,
thanks for a great product.
Sean.