I've been searching everywhere for the past week and haven't found a solution. I would like to be able to assign access to servers based upon membership to a group or role. For example, if I create a group/role called "Web Servers", everyone in that group can access all the web servers. Everyone in the group/role "Database Servers" would be allowed to log into the database servers. Users can be part of multiple groups.

There has to be a way to do this already. All the clients are running OpenLDAP and can already authenticate to the Directory Server. To implement this solution, would I have to change ldap.conf or system-auth?