want an auth database totally separate from /etc/passwd and I'm not running any Kerberos/GSSAPI stuff. I don't think I want to do pwcheck (as that was the old pluggable mechanism, right?).

No, you don't want pwcheck.

saslauthd will do what you want, and there's no "still" because you haven't ruled out anything relevant: it still supports pluggable backends for passwords. sasldb is just a backend.