Originally Posted by custangro
does the EXCEPT LOCAL keyword include LDAP logins?
I'm not exactly sure. From /etc/security/access.conf inline documentation:
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
If that's ambiguous, I'd recommend testing it out yourself. Tail /var/log/secure and /var/log/messages for PAM chatter to determine how the attempt is being handled.