SASL allows an authentication established by non-LDAP means such as TLS to be used in LDAP.
Threats
Re-usable credentials such as passwords are inherently weak. SASL External gives access to stronger authentication methods.
Controls
Use SASL External authentication along with client-side X.509 certificates and TLS whenever possible. This combination provides a strong authentication that is protected against replay attacks.
When LDAP client and server are running on the same machine, consider using SASL External with the LDAP-over-IPC transport described in draft-chu-ldap-ldapi-00.txt Note that this only authenticates the operating-system account that owns the client process: the ultimate end-user may be different if the LDAP client is itself a server process (e.g. a web server).
Application
Apply this control when client authentication is required and the client is either on the same machine as the server or can be securely provided with an X.509 certificate and matching key.
-- AndrewFindlay - 07 Oct 2011