Probably not quite the best description, but since I opened my big mouth last weekend, thought I should probably go ahead and propose this as a formal project.
Currently, all of the supported methods of specifying server access control with LDAP (netgroups, or pam_list) involve storing some aspect of the policy on the managed systems themselves. As a result, changes in policy requires touching all impacted servers. I think it would be very useful if this could be centralized in LDAP. Also, there is no easy way to do fine-grained control of group and role membership for LDAP managed systems and still maintain centralized management within LDAP. For example, I might want 'jason' to have access to the 'root' role on systemA, but not systemB. Or, on systemC, 'bob' should have access to different groups than systemD. Any of the ways I can imagine doing this w/ LDAP are not particularly pretty (and have problems). I would like to propose a project to look at methods for supporting this functionality in the current LDAP libraries. One key requirement would be any such functionality would be purely optional, and that no change in existing behavior or functionality would happen if a sysadmin elects not to use this feature. I would like endorsement from both the sysadmin and security communities since this would have impact to both.
