Hi,
We are publishing data locally via a Stratum 0.
Everything is ok and working well.
But is there any mechanism at the server level to authenticate external clients/users (we do not administer)?
Maybe based on Active Directory groups ?
In general, cvmfs is public by construction, so there is no (easy) authentication of clients. If you are only looking to restrict access to the local site, it is easiest to use a firewall to fence off access to the stratum 0 from the Internet.
(The full answer is a bit more complicated: There are some advanced authorization schemes possible using HTTPS, dedicated servers and proxies and cvmfs plugins. Setting up that infrastructure is non-trivial though and even then there are limitations and typically only data but not the meta-data is protected.)