SASL authentication failure: Password verification failed (postfix + cyrus + saslauthd)

We're having difficulties authenticating over smtp, running postfix + cyrus on centos 7.

When I try to telnet to port 25 (or 587) locally and auth plain, I get the following errors in the mail log:

Sep 25 10:25:00 blabla postfix/smtpd[3858]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: Permission denied

Sep 25 10:25:00 blabla postfix/smtpd[31106]: warning: SASL authentication failure: Password verification failed

Sep 25 10:25:00 blabla postfix/smtpd[31106]: warning: unknown[::1]: SASL plain authentication failed: authentication failure

Not sure what sasldb2 has to do with anything and if that warning has any real bearing on the problem.
testsaslauthd with the same credentials returns OK.

Postfix is not running in chroot mode:

smtp inet n – n – – smtpd

smtps inet n – n – – smtpd

submission inet n – n – – smtpd
-o smtpd_sasl_auth_enable=yes

I'm using /etc/shadow for authentication, so ps aux | grep sasl says:

/usr/sbin/saslauthd -m /var/run/saslauthd -a shadow

Socket dir is /var/run/saslauthd so in main.cf, I have:

smtpd_sasl_path = /var/run/saslauthd/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
tls_random_source = dev:/dev/urandom
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_exceptions_networks =
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:/var/spool/postfix/postgrey/socket

Finally, /etc/sasl2/smtpd.conf has:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/run/saslauthd/
allow_plaintext: true

Any pointers? I am stumped…
Most of the docs I find online seem to point to chrooted postfix configs or more complicated auth methods.

Thanks!