On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote:
> HBAC is very similar to this but already done for you.
>
http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-ho...
Does it also disallow LDAP read access to users/groups/sudoers which are not
allowed to login or to be used on a host?
No, it's pure access control evaluated during the PAM access phase.