Ages ago, I was trying to get the pam_groupdn option in ldap.conf for pam_ldap.so to do what I want: limit access to a certain system to certain accounts (where the list of 'certain accounts' could be managed centrally, via that same ldap). It needs a 'groupOfUniqueNames' type object in the ldapserver with multiple 'uniqueMember' fields pointing at the dn of accounts that are member. I found the correct bits in a mail to the secure-shell list: RE: AllowGroups and ldap.