On Sat, Jan 07, 2017 at 11:53:27AM +0800, Frank Yu wrote:
# grep pam_listfile.so system-auth -A2 auth required pam_listfile.so \ onerr=fail item=group sense=allow file=/etc/login.group.allowed
Without your complete pam configuration there's really no way to tell what's going on. For example, what if you have a module configured as sufficient listed above this line? pam_listfile would never even be consulted.
All I can really say is that I use pam_listfile as so:
auth requisite pam_listfile.so item=group sense=allow file=/etc/security/authorized_groups.conf onerr=fail
and it works fine for me, with groups pulled out of LDAP, the way I have it integrated into the rest of my pam configuration. That, and you'd probably be better off taking this inquiry to the pam mailing list as your issue is most likely with pam configuration, not ldap, assuming a "getent group <groupname>" returns the group from ldap you're working with.