Hello,

I am wondering if it would be possible to extend mod_auth_gssapi abilities to decode Kerberos PAC and allow finer grained access control based on groups the authenticated user is member of.
These groups can be extracted from the Kerberos PAC (i.e. without any additional ldap lookup).
Is something like this doable?

Thanks