Here are some thoughts on a possible bootstrapping scheme:
Also note the use of ldapi:// and -Y EXTERNAL for the initial add. The add would be allowed if the client's uid was same as server's uid.
And what would happen if one would like to build --without-cyrus-sasl?
Note that configuration is something to get started with OpenLDAP.
Ciao, Michael.