I accomplish this with the pam_access module and an appropriate access.conf file on my Red Hat flavored machines.

http://linux.die.net/man/8/pam_access

http://linux.die.net/man/5/access.conf



From: "Enrico Morelli" <morelli@cerm.unifi.it>
To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>
Sent: Wednesday, April 27, 2016 8:21:00 AM
Subject: [389-users] Login restrictions


Is it possible to restrict login only to to whom bound to a
determinated group?

I tried to use the following lines in sssd.conf but doesn't works:

access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (gidNumber=900)

--
-------------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
  phone: +39 055 457 4269
  fax:   +39 055 457 4927
-------------------------------------------------------------
--
389-users mailing list
389-users@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org



--

Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml@louisiana.edu