Restricting account logins using LDAP and PAM
PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac's answer (+1) regards the groups as posix groups, whether they're stored in LDAP,
/etc/group or NIS.
/etc/security/access.conf is the access list file. In my file, I put at the end:
-:ALL EXCEPT root sysadmin (ssh-users):ALL
This denies everyone except root, sysadmin and in the group ssh-users (which is in LDAP) wherever they login from (the second
Then in my PAM account file (this IS an account module), I add at the very end:
account required pam_access.so
which tells PAM to use this file. It works a treat :-)
I would simply use
auth required pam_listfile.so sense=accept item=group file=/etc/groups.allow onerr=fail
to allow only specific groups (both for local and LDAP groups). This way you don't have to specify anything in
If you want to keep authorization your way, you shouldn't filter users on "account" pass. I believe you should rather do it on "auth" pass. Secondly, as you can see yourself, pam_unix processes both local and LDAP accounts (at least on the "account" pass), so it seems there is no need for pam_ldap at all.
EDIT: Thirdly, if you insist on having stuff on "account" pass (which I believe could have strange side effects), your sequence should end with: ..., "sufficient pam_ldap", "required pam_localuser", "required pam_unix". I mean, if you have any other modules, move them before pam_ldap - otherwise they would be ignored for LDAP accounts due to "sufficient" clause.