SASL_MECH EXTERNAL in system ldap.conf

[Phil Pennock <openldap-software@spodhuis.demon.nl>]

I've tried various searches of the archives for this list, so sorry if
this has come up before (and please point me to relevant URLs if so).

Is there a particular security/other reason to prohibit use of SASL_MECH
in the system-wide ldap.conf ?

Using the unix-domain socket interface, which providers the server with
peer credentials of the userid talking to the socket, I can let a user
search as themselves whilst logged in; this just requires a couple of
simple sasl-regexp rules in slapd.conf (below for completeness), but
requires _each_ user to then have an ~/.ldaprc containing:

 URI             ldapi://
 SASL_MECH       EXTERNAL
 BASE            dc=example,dc=net

Actually, the only item needed in the per-user config is the SASL_MECH,
I just keep them together for clarity.  If I could specify a default
SASL_MECH in /etc/openldap/ldap.conf then I could make this automatic
binding available to all users without further configuration by the
users.

Using 2.2.28, confirmed that libraries/libldap/init.c still sets
useronly for this option in 2.3.20.

Is there a reason to disallow this option in the system config?  Any
gotchas which might bite me hard if I change this locally?  Is it likely
to be changed in official source?

Is there a better way of achieving the same thing without deploying an
authentication infrastructure such as kerberos?

Thanks,
-Phil

sasl-regexp
  uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
  ldap:///ou=People,dc=example,dc=net??sub?(&(uidNumber=$1)(gidNumber=$2))

sasl-regexp
  uid=(.*),cn=external,cn=auth
  ldap:///ou=People,dc=example,dc=net??sub?(uid=$1)