Ldap – PAM dynamic LDAP Authorization with groups

At the moment my PAM is integrated through LDAP with a custom authentication stack in the /etc/pam.d/systhem-auth:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.netgroup.allowed
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

As you can see the authorization is made by a lookup on the /etc/login.netgroup.allow file, which contains a list of LDAP groups. So, an user can login or not on this server if he belongs at least to one or more groups.

This check is made statically. I mean, the login.netgroup.allow file is immutable and it contains only a list of groups. Is there a way or any suggestion to made this check dynamically through an LDAP check? I mean, suppose I have an LDAP branch which contains an entry with the hostname of my server and a multivalue attribute containing the list of the groups associated to this server. Is it possible to made the check not to a file but directly on LDAP?

INFO:
OS: Red Hat 6.4
LDAP Client: nslcd

EDIT:
At the moment I've made it work with a custom script:

This is the system-auth of my hostname1 server:

auth        sufficient    pam_unix.so nullok try_first_pass
auth            required        pam_exec.so /usr/sbin/netgroupCheck
auth            required        pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.netgroup.allowed

I'm checking the allowed group directly on LDAP with the /usr/sbin/netgroupCheck script:

#!/usr/bin/env bash

#Allowed Netgroup File
file=/etc/login.netgroup.allowed

#LDAP Client
uri=$(cat /etc/nslcd.conf | grep uri | grep "^[^#;]" | sed 's/[^ ]* //')
oud_user=$( cat /etc/nslcd.conf | grep binddn | grep "^[^#;]" | sed 's/[^ ]* //')
oud_password=$( cat /etc/nslcd.conf | grep bindpw | grep "^[^#;]" | sed 's/[^ ]* //')
hostname=$(hostname)

#Refresh Allowed Netgroup File from LDAP
ldapsearch -LLL -D $oud_user -H $uri -w $oud_password -b "dc=base,dc=it" "(cn=$hostname)" Allowednetgroup | grep -i Allowednetgroup | sed 's/[^ ]* //' > $file

And this is the entry on LDAP:

dc: cn=hostname1,ou=servers,dc=base,dc=it
objectClass: host
objectClass: ipHost
objectClass: top
cn: hostname1
ipHostNumber: 10.10.10.10
Allowednetgroup: GROUP1
Allowednetgroup: GROUP2
Allowednetgroup: GROUP3

In this way I can edit the allowednetgroup directly on LDAP without editing them on the server.