No. It's recommended that all your SASL DNs be mapped to existing
entries in your directory, but it's not required. The SASL DN is still a
legal DN after all. If you understand what you're doing, go ahead and
use it.
Thank you both for your answers so far -- I have found posts by you two
dating back to ~2000 very helpful.
So, to follow up -- assuming I do not want to map the DN if it is
possible. Will a group acl (by group="...") referencing a group
containg the unmapped SASL DN as a member be properly resolved and
applied, or does the mapping need to be done for this resolution to
properly occur?