I understand SASL is a framework defined outside of OpenLDAP and the EXTERNAL mechanism of SASL implies authentication is established outside of the SASL mechanism using context around the client connection. It sounds like that could be something like the Client IP, the DN in the client certificate if using mutual TLS, or the gid / uid of the client when connecting over unix sockets.
I am looking for a way to audit that my SASL EXTERNAL configuration does not allow any sort of authentication through anything other than the unix socket option. I have not come across a way that I can configure the external mechanism with only uid / gid methodology. Is it sufficient to simply audit the ACLs and see that there is only an ACL for the unix socket mechanism to be confident the server is not entertaining IP / TLS / or some other EXTERNAL methodology?
