In the altsecid GSS pre-authentication authorizer plugin, don't add the
REQUESTOR_SID PAC info buffer unless the client requested a TGT. It is not
relevant to application services.
Update the sample GSS pre-authentication authorizer plugin to allow the PAC to
be pinned to the authenticating user's SID.
There is still a race condition between the time the user authenticates and the
time the SID is looked up via LDAP, but it should be sufficient as an example;
if more security is required, then users should be enrolled with their SIDs.
Add a sample GSS preauth authorization plugin, which will be built and
installed if OpenLDAP is available, but otherwise not enabled (by virtue of not
being installed into the plugin directory).
The plugin authorizes federated GSS preauth clients by querying an Active
Directory domain controller for the altSecurityIdentities attribute.
Once the user entry is found, the name is canonicalized by reading the
sAMAccountName attribute and concatenating it with the KDC realm.
