Disregard my response below. I misread the problem statement. I thought the you were trying to filter logins based on an attribute, which is what the subject line said.
Prentice Bisbal wrote:
Anton Chu wrote:
I have a scenario where I want to setup two LDAP groups where one group can access a file on the server while the other one cannot after they login. Can some PAM tweaks make this happen if not on the ldap side?
Yes. See the man page for pam_ldap:
pam_groupdn <groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. pam_member_attribute <attribute> Specifies the attribute to use when testing a user’s membership of a group specified in the pam_groupdn option.