One alternative that works well is to bind using NTLM. All modern distributions should have the SASL NTLM available, although perhaps not installed by default. To specify a bind mechanism use the "-Y" option, and if your username on the local machine differs from your domain username specify your username with "-U" upper-case. Specification of SASL bind paramters is entirely separate from the specification of the bind parameters for SIMPLE binds (with use "-D", etc...).
If you see a message like:
ldapsearch -Y ntlm -U fred -h dc1,example.com -b 'dc=example,dc=com' uid=fred
SASL/NTLM authentication started
Please enter your password: *****************
Text 1: An NTML bind with ldapsearch, as user "fred"
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)- then your SASL installation does not support NTLM. Most likely you do not have the correct package installed. On openSUSE the required package is cyrus-sasl-ntlm. Distributions tend to package support for each SASL mechanism separately.
additional info: SASL(-4): no mechanism available: No worthy mechs found
It should be noted that NTLM is not a perfect, or perfectly secure, authorization solution; but it fills a gap in cases where Kerberos isn't applicable. It is certainly superior to SIMPLE binding, at least because cumbersome LDAP DNs are not involved.