best point to restrict login by ldap group membership
I've an ldap userbase and are just fine tuning some of the access mechanisms. I want to principally enforce ssh access for ldap members in an administrators group, but i'm not sure where the best place to implement this restriction is. at one extreme I could control AllowGroups in sshd_config but don't want to necessarily restrict myself to only implementing a solution for ssh. Another angle could be to filter within ldap.conf, but then I would still want the flexibility to obtain the full userbase for potential use elsewhere (i'm not aware of any apps that might need this, but that's not my business, so can't be ignorant of the potential need in the future). A modification, of secondary version of the pam system-auth stack might be a good point, as various pam services can link into it fairly simply. Alternatively maybe I should prevent remote logins from non local accounts with access.conf (I do like a wide reaching policy of "remote access = remote account" across linux and network devices and such).
Vague, but if anyone is interested in the subtleties of the myriad of places to control this i'd be really interested to hear from you. Essentially it's lots of use of words like "generic" and "implicit" i'm after!