Needing “manager” access to an OpenLDAP LDAP directory server from a machine on which I didn’t want to have a password lying around, I set up slapd to allow the EXTERNAL SASL mechanism using a certificate. That means of course, that the user of that client machine is de facto manager, but at least she doesn’t need to know the password. I’ve updated my documentation on using the EXTERNAL mechanism, hoping it will be of use to somebody. Oh, and in case I’ve never said that before: OpenLDAP rocks! :-)