The primary purpose of SASL is to perform authentication.
Encryption is
an optional feature, and is only supported by a subset of
SASL mechanisms.
The water gets even murkier. I have been labouring under the delusion
that it is ldap which does the authentication. That is, one sends a
query from the client machine to the ldap server saying does this person
exist with this password (and, secondarily, does she have authorisation
to log in to this client)?
Or is the authentication we are talking about here that the client is
authorised to send such a query to the ldap server?
Or, yet another alternative, does the nss_ldap/pam_ldap/sasl combination
on the client convert the ldap query to a sasl query which is sent to
sasl on the server, which in turn asks the ldap server? If so, it seems
a long way round.