As Matthew Swift said:
To be fair, carole forel's confusion does highlight that the configuration model is a bit misleading. The term mTLS simply means that both the client and the server are exchanging their certificates at the TLS layer. However, this is enabled by specifying a key-manager and client cert alias. The use-mutual-tls option actually means use SASL/External authentication, which binds the TLS layer's client certificate to an LDAP application layer identity via a bind request.
Hmmm. Maybe we should consider renaming the use-mutual-tls options to something like use-sasl-external?
Ludovic Poitou proposed