Did a bit more digging and found this 2006 thread:
My server is setup with local accounts and LDAP authentication. So it sounds like PLAIN is the only thing that works with LDAP authentication, unless something has changed in the past 11 years? If that's the case, then I can't resolve the finding unless I stop using LDAP, which means users have another password to manage.
That finding is a false positive, if you have this set in your console "Required - Connections cannot be established unless they are encrypted." then your SASL conversation is happening over an SSL encrypted tunnel
What is happening is the Nessus plugin runs a scan on the port, sees “PLAIN” offered in the SASL response and marks it as vulnerable without considering that it is looking at that response inside of an SSL context.