I had a lot of success last night with getting LDAP working with Authentication and mail routing. Unfortunatly, I’ve managed to leave it in an instable state.
The big problem here is that I have to grok how all the parts fit together and that seems to be difficult for me right now. It seems to me that if LDAP is going to let you authenticate using GSSAPI over SASL, they should tell you who you are. You should be able to figure out who you are. They should clearly document how identity maps between SASL and LDAP.