all, please excuse my ignorance, as i am still learning. i have started working with mit kerberos 5 and openldap. i have the krb5 database in ldap, have several principals created, can can authenticate using kerberos. what i would like to accomplish is authorization based on group membership. i am unclear on how to do this, and if this requires the use of SASL (via the cyrus-sasl packages). am i able to create a groupofnames object, populated with kerberos principals and accomplish authorization by checking for membership of that groupofnames? the scenario is mod_auth_kerb implemented in httpd, or access control via acl in squid. based on group membership, certain functionality or access would be given to authenticated users. i have read and re-read the guide included with openldap, but am still unclear about what is needed. Below is some info about versions, etc... thank you in advance for any guidance.
OS: Fedora: 16 x86_64 OpenLDAP: 2.4.26-8 MIT Kerberos: 1.9.4-3 Cyrus SASL: 2.1.23-27 thank you, brendan
