all,<br><br>please excuse my ignorance, as i am still learning.  i have started working with mit kerberos 5 and openldap.  i have the krb5 database in ldap, have several principals created, can can authenticate using kerberos.  what i would like to accomplish is authorization based on group membership.  i am unclear on how to do this, and if this requires the use of SASL (via the cyrus-sasl packages).  am i able to create a groupofnames object, populated with kerberos principals and accomplish authorization by checking for membership of that groupofnames?  the scenario is mod_auth_kerb implemented in httpd, or access control via acl in squid.  based on group membership, certain functionality or access would be given to authenticated users.  i have read and re-read the guide included with openldap, but am still unclear about what is needed.  Below is some info about versions, etc...  thank you in advance for any guidance.<br>
<br>OS: Fedora: 16 x86_64<br>OpenLDAP: 2.4.26-8<br>MIT Kerberos: 1.9.4-3<br>Cyrus SASL: 2.1.23-27<br><br>thank you,<br><br>brendan<br>