YASQ - yet another sasl question

[jimbox-ldap@doubleprecision.com]

i'm embarrassed to admit, as a veteran solaris admin, i never even heard
of sasl until i started fiddling with openldap 2 weeks ago.  and since
then its been the bane of my existence.  at this point i've read so
much about sasl/ldap, and tried so many different things i've finally
decided i need specific help to stop the spinning in my head.  i've
surpassed information overload...

sorry to kill what seems to be a dead horse by the many previous related
posts.

software:
redhat 7.1 on amd k6-II/400
openldap 2.0.11
cyrus-sasl 1.5.24

i'd like to use ldap/pam for authenticting users.  i have no problem with
simple auth.  i have successfully created ldap entries of objectclass
posixAccount.  likewise, padl pam modules are in place and these users can
login _IF_ i have ldaps running.  these users, however, cannot change
their passwords (pam password system-auth entries assumed to be correct).
also- i can run all ldap clients if i use -x, otherwise no.

i currently dont have any 'access' lines in my slapd.conf.  its plain
vanilla except modifying my dn.  my ldap client binary's are compiled for
sasl dont seem to work.  i have entires in /etc/sasldb, but am extremely
confused as to whether they're unique, tied to ldap users, or local users.

i reluctantly confess (betraying my ego :) that i havent grasped how sasl
fits into the picture.   i understand it theorectically but cant see how
it fits into this picture.  from what i've read- it seems to redundantly
provide the same consolidated authentication that pam serves  ???!

all help and insight is greatly appreciated.
jimi.