LDAPv3 a nightmare

[Eric G Ortego <eric@tonychachere.com>]

I think I would like to use openldap, but
After a couple of weeks of reading up on it and trying to get a 
directory "working" I have come to the conclusion that cyrus-sasl sucks.
Even worse seems [its|my] attempt to use kerberosv5 and function.
Mabe I am the fool and simply cannot get these three to play together 
nicely but, holy shit how convoluted is this whole LDAPv3?!

Do I need a ldap directory working to get sasl binds tested or working?  
Do I also need a user in LDAP  and sasldb?
Do I need plain passwords in the ldap directory (do I even have users in 
the directory yet) to take advantage of "secure" authentication with 
sasl and avoid doing "simple" binds to ldap or useing the sasldb?
Do I need a kerberos kdc working to test if sasl [can|might] work with 
ldap kerberos binds?
How the hell am I suposed to get a client , say mozilla, to bind to ldap 
with [kerberos tickets | sasldb username | a username] anyway?
And why does sasl use pam?

I don't see how it all ties together.
<rant>
kerberos has a db, ldap has a db, sasl has a db, and they all seem to 
interoperate in some twisted formula called LDAPv3.
I thought the idea of a directory was to consolidate information in a 
central location not smear user:pw databases all over!
Seems to me that sasl is pretty useful if you like beating your face in 
with a maul laced in glass shards. Querying an openldap directory sounds 
almost as safe.
And if kerberosV5 is soo freakin badass then why the hell don't many 
applications make use of it?
Does everything still use bind v2 or am I just on the ldap bind v2 side 
of the internet?
</rant>