diff --git a/CHANGES b/CHANGES
index 2b867bb816fe1e3ec1b946a2217c489dcd39c175..6c48d6555b91daa7066e92cb3c25c52e235292d7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -26,6 +26,7 @@ OpenLDAP 2.4.24 Engineering
 	Fixed slapd-bdb error propogation to overlays (ITS#6633)
 	Fixed slapd-ldap debug output of timeout (ITS#6721)
 	Fixed slapd-ldap DNSSRV referral chaining (ITS#6565)
+	Fixed slapd-ldap with SASL/EXTERNAL (ITS#6642)
 	Fixed slapd-ndb to honor rootpw setting (ITS#6661)
 	Fixed slapd-meta anon retry with failed auth method (ITS#6643)
 	Fixed slapd-meta rebind proc (ITS#6665)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 1862022ab13a86c0c9142c964a62ef36723742a1..bd2c054ccb29deba61872d6800e1b9ec21f4472a 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -668,6 +668,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
 	LDAP		*ld = NULL;
 #ifdef HAVE_TLS
 	int		is_tls = op->o_conn->c_is_tls;
+	int		flags = li->li_flags;
 	time_t		lctime = (time_t)(-1);
 	slap_bindconf *sb;
 #endif /* HAVE_TLS */
@@ -727,11 +728,18 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
 		ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
 	}
 
+	/* if required by the bindconf configuration, force TLS */
+	if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&
+		sb->sb_tls_ctx )
+	{
+		flags |= LDAP_BACK_F_USE_TLS;
+	}
+
 	ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
 	assert( li->li_uri_mutex_do_not_lock == 0 );
 	li->li_uri_mutex_do_not_lock = 1;
 	rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls,
-			li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text );
+			li->li_uri, flags, li->li_nretries, &rs->sr_text );
 	li->li_uri_mutex_do_not_lock = 0;
 	ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex );
 	if ( rs->sr_err != LDAP_SUCCESS ) {
diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h
index ee14f97dcd60b657599681bb1f6e6e37071dfb9f..a1b9476007b731ef2ce79e2ef3b5b0a04fa38355 100644
--- a/servers/slapd/back-meta/back-meta.h
+++ b/servers/slapd/back-meta/back-meta.h
@@ -274,6 +274,9 @@ typedef struct metatarget_t {
 	struct berval		mt_binddn;
 	struct berval		mt_bindpw;
 
+	/* we only care about the TLS options here */
+	slap_bindconf		mt_tls;
+
 	slap_idassert_t		mt_idassert;
 #define	mt_idassert_mode	mt_idassert.si_mode
 #define	mt_idassert_authcID	mt_idassert.si_bc.sb_authcId
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index fecc0a4e89c283163785bda7527ff9d485017092..e6de08a8ebec085754efaf606f7b7ebbac0e5d8c 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -620,7 +620,7 @@ meta_back_db_config(
 				fname, lineno, 0 );
 			return 1;
 		}
-		
+
 		if ( argc != 2 ) {
 			Debug( LDAP_DEBUG_ANY,
 	"%s: line %d: missing password in \"bindpw <password>\" line\n",
@@ -709,13 +709,6 @@ meta_back_db_config(
 				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
 				: &mi->mi_flags;
 
-		if ( argc != 2 ) {
-			Debug( LDAP_DEBUG_ANY,
-		"%s: line %d: \"tls <what>\" needs 1 argument.\n",
-				fname, lineno, 0 );
-			return( 1 );
-		}
-
 		/* start */
 		if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
 			*flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
@@ -741,6 +734,26 @@ meta_back_db_config(
 			return( 1 );
 		}
 
+		if ( argc > 2 ) {
+			metatarget_t	*mt = NULL;
+			int 		i;
+
+			if ( mi->mi_ntargets - 1 < 0 ) {
+				Debug( LDAP_DEBUG_ANY,
+		"%s: line %d: need \"uri\" directive first\n",
+					fname, lineno, 0 );
+				return 1;
+			}
+
+			mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
+
+			for ( i = 2; i < argc; i++ ) {
+				if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
+					return 1;
+			}
+			bindconf_tls_defaults( &mt->mt_tls );
+		}
+
 	} else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
 		unsigned	*flagsp = mi->mi_ntargets ?
 				&mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c
index 43511baf852166ac9b960acb7abdac6fb5b956a4..7d7cc92507108e7a0c9b3f5f0e42a0e44a3aaefa 100644
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@@ -281,6 +281,7 @@ meta_back_init_one_conn(
 	int			do_return = 0;
 #ifdef HAVE_TLS
 	int			is_ldaps = 0;
+	int			do_start_tls = 0;
 #endif /* HAVE_TLS */
 
 	/* if the server is quarantined, and
@@ -421,12 +422,33 @@ retry_lock:;
 		META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF );
 
 #ifdef HAVE_TLS
+	if ( !is_ldaps ) {
+		slap_bindconf *sb = NULL;
+
+		if ( ispriv ) {
+			sb = &mt->mt_idassert.si_bc;
+		} else {
+			sb = &mt->mt_tls;
+		}
+
+		if ( sb->sb_tls_do_init ) {
+			bindconf_tls_set( sb, msc->msc_ld );
+		} else if ( sb->sb_tls_ctx ) {
+			ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+		}
+
+		if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
+			do_start_tls = 1;
+
+		} else if ( META_BACK_TGT_USE_TLS( mt )
+			|| ( op->o_conn->c_is_tls && META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
+		{
+			do_start_tls = 1;
+		}
+	}
+
 	/* start TLS ("tls [try-]{start|propagate}" statement) */
-	if ( ( META_BACK_TGT_USE_TLS( mt )
-		|| ( op->o_conn->c_is_tls
-			&& META_BACK_TGT_PROPAGATE_TLS( mt ) ) )
-		&& !is_ldaps )
-	{
+	if ( do_start_tls ) {
 #ifdef SLAP_STARTTLS_ASYNCHRONOUS
 		/*
 		 * use asynchronous StartTLS; in case, chase referral