If you are working with Linux systems and need to restrict server login via LDAP groups, read through the following post.
Either method below should work using RHEL 5 or RHEL 6, but only use PAM LDAP or SSSD, not both.
LDAP Server Setup
Regardless of what method below is used, the LDAP server setup will be the same; simply, create an LDAP group with the specific users you want to allow to authenticate to the client server.
Client Server Setup with PAM LDAP
Prerequisites
It is already assumed the client server can talk to the LDAP server.
Be sure to install the following packages:
yum install nss-pam-ldapd pam_ldap
Single LDAP Group
Append the following to /etc/ldap.conf:
pam_groupdn cn=Group Name,ou=Groups,dc=example,dc=com
Multiple LDAP Groups
Unfortunately, PAM LDAP only allows authenticating against a single LDAP group. If you want to authenticate against multiple LDAP groups jump to the next section.
Client Server Setup with SSSD
Prerequisites
It is already assumed the client server can talk to the LDAP server.
Be sure to install the following package (the nss-pam-ldapd and pam_ldap packages can be removed):
yum install sssd
Single LDAP Group
Open /etc/sssd/sssd.conf and add the following under domain/default:
access_provider = ldap
ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com
Multiple LDAP Groups
The following will allow users in LDAP groups System Administrators or Database Users to authenticate to the client server.
Open /etc/sssd/sssd.conf and add the following under domain/default:
access_provider = ldap
ldap_access_filter = (|(memberOf=cn=System Administrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com))
The ldap_access_filter accepts standard LDAP filter syntax, so get as complicated as you need to. Be sure to restart the sssd service after any changes:
service sssd restart