You can use pwcheck for SASL PLAIN/LOGIN mechanism by building Cyrus SASL with pwcheck support and then adding: pwcheck_method: pwcheck in /usr/lib/sasl/slapd.conf (slapd's SASL configuration file). If OpenLDAP is configured with --enable-spasswd, then one should be able to use "{SASL}user" userPassword schema to use Cyrus SASL facilities for authenticating the user.