I am setting up a Fedora Directory Server for use in our company.  Our problem now is that any user that has a posix account (which it is necessary for every user to have a posix account due web applications and our heavy use of Linux machines) can log into machines we do not want them having access to (ie production web servers, gateways, firewalls, etc etc etc). 
Yes, we could lock it down via sshd_config on the servers with the AllowUsers statement, but that would not prevent them from being able to log in on the local machine.
I have changed my ldap.conf on my linux / bsd machines to allow only the following:

pam_groupdn cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld
# Group member attribute
pam_member_attribute uniqueMember

This does and does not work.  When logging into the server with a user that is not a member of that group, I get the following warning:
You must be a uniqueMember of cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld to login
But it logs me right in.
I have posted the full ldap.conf here:
http://pastebin.com/m11b0b227
Here is the shorter version (minus all commented out stuff)
http://pastebin.com/m26f9048d

Any help or pointers would be appreciated. 



--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith@farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542