I think you could just use saslauthd to forward the password stuff to the KDC, to get whether or not they can bind?
I have read about both approaches on this list before, but I've never seen a comparison of the advantages or disadvantages. From what I recall, Howard Chu refers to saslauthd as worthless even when configuring SASL. What is the essential difference between having slapd, saslauthd, and/or the client itself performing kerberos authentication?
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html