Well your attachment nearly broke my mail client and I couldn't
read it ;)

So, SASL-EXTERNAL is almost a no-op.
Basically you just need to spot the case in the bind operation 
processing code
and then ask the SSL layer for the client cert content.
Then you need to do whatever you fancy doing with that
information to determine bind identity and whether or not to allow the bind.

AFAIK none of the above is implemented already , but it's
not particularly hard or big a job.