On Sat, Mar 16, 2013 at 2:27 PM, Dan White
<dwhite@olp.net> wrote:
In my experience, authorization is not a standardized concept, even among
servers that support sasl, ldap, and/or kerberos authentication.
In general, approaches which are most likely to bear fruit:
unix group membership
=====================
Install an ldap nss module on the server, and add objectClass posixGroup to
your group entries. Specify "member: <user_id>" for each member of the
group. Find out if a given server (such as squid) supports such authorization,
either by way of a getgrent system call (such as with openssh), or via some
pam group module during authentication.
RADIUS (freeradius ldap backend)
================================
If the server supports radius authentication, then you have flexibility in
granting authentication based on an ldap attribute or ldap group membership,
by way of it's ldap backend module.
pam ldap module
===============
If the server supports pam authentication, then use an ldap pam module
(nssov, pam-nss-ldapd, or pam_ldap) to grant authentication based based on
an ldap attribute or ldap group membership.
I'm not aware of a way to grant authorization solely by using kerberos.
--
Dan White