Teleport as LDAP server

[ivan-tkatchev]

Current approach to host user management by Teleport when doing ssh is broken for many reasons.

1. Existing users are not checked for RBAC. For example, if a user is created once with sudo privileges they will not be revoked even if the user's role in Teleport changes later.
2. Manual creation of users with useradd, et al conflicts with existing system settings. Same issue, again - for example, manual meddling with system settings can disable or enable sudo despite user's role in Teleport.
3. Teleport is not integrated with PAM, which means RBAC is not checked when a user session is started.

The ideal solution would be to support the LDAP protocol for Teleport proxies.
The teleport instance on the host should bind to 127.0.0.1. (Say, with a port of 3389 for example.)

PAM should be configured the speak LDAP to 127.0.0.1:3389 in this case.
The Teleport proxy will process RBAC logic as part of the PAM authorization flow.

[LDAP is a requirement because LDAP support is a standard part of PAM for all Unix systems. Developing and distributing a PAM module that uses the Teleport REST API to authorize users is not feasible.]