all,

please excuse my ignorance, as i am still learning.  i have started working with mit kerberos 5 and openldap.  i have the krb5 database in ldap, have several principals created, can can authenticate using kerberos.  what i would like to accomplish is authorization based on group membership.  i am unclear on how to do this, and if this requires the use of SASL (via the cyrus-sasl packages).  am i able to create a groupofnames object, populated with kerberos principals and accomplish authorization by checking for membership of that groupofnames?  the scenario is mod_auth_kerb implemented in httpd, or access control via acl in squid.  based on group membership, certain functionality or access would be given to authenticated users.  i have read and re-read the guide included with openldap, but am still unclear about what is needed.  Below is some info about versions, etc...  thank you in advance for any guidance.

OS: Fedora: 16 x86_64
OpenLDAP: 2.4.26-8
MIT Kerberos: 1.9.4-3
Cyrus SASL: 2.1.23-27

thank you,

brendan