Sounds like something that would be better served using LDAP groups,
that way it could hook into existing infrastructure.

However, the current PADL pam implementation (last I looked anyway)
wasn't especially brilliant at providing control for lots of hosts with
lots of users. It was possible to cobble something together
using /etc/security/access.conf, but it always felt... odd. Maybe look
into updating that?

Cheers,
Edward

On Mon, 2008-01-21 at 14:36 -0800, Jos Backus wrote:
>
> The server:
> - accepts some client-generated request (containing service,
> principal/username, hostname, etc.) over TCP;
> - sends this data to a backend application;
> - receives the response ('authorized' or 'not authorized') from the
> backend;
> - relays the response to the client.
>
> The client is called by pam_exec from the account group, so it has
> access to
> the username; the realm could be supplied on the command line. The
> client
> could try multiple authorization servers to ensure availability.
>
> The backend application could simply query a database which is
> maintained by
> another application (presumably with an easy to use web frontend).
>
> Thoughts? Would I be better off using GSSAPI instead?