SSH access to hosts groups based on user groups using LDAP

This is my entire test ldap database for now:

# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ldap.example.com
dn: dc=ldap,dc=example,dc=com
dc: ldap
description: Root for Test LDAP server
objectClass: top
objectClass: dcObject
objectClass: organization
o: Test

# People, ldap.example.com
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
description: All people in Test

# Group, ldap.example.com
dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
description: All groups in Test

# Hosts, ldap.example.com
dn: ou=Hosts,dc=ldap,dc=example,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
description: All hosts in Test

# HostGroups, ldap.example.com
dn: ou=HostGroups,dc=ldap,dc=example,dc=com
ou: HostGroups
objectClass: top
objectClass: organizationalUnit
description: All host groups in Test

# client1, Hosts, ldap.example.com
dn: cn=client1,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client1
ipHostNumber: 192.168.56.21

# client2, Hosts, ldap.example.com
dn: cn=client2,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client2
ipHostNumber: 192.168.56.22

# client3, Hosts, ldap.example.com
dn: cn=client3,ou=Hosts,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: ipHost
objectClass: top
cn: client3
ipHostNumber: 192.168.56.23

# group1, HostGroups, ldap.example.com
dn: cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.21
hostmemberIP: 192.168.56.23
cn: group1

# group2, HostGroups, ldap.example.com
dn: cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com
objectClass: hostGroup
objectClass: authorizedServiceObject
objectClass: top
authorizedService: sshd
hostmemberIP: 192.168.56.22
cn: group2

# users, Group, ldap.example.com
dn: cn=users,ou=Group,dc=ldap,dc=example,dc=com
cn: users
objectClass: posixGroup
objectClass: top
gidNumber: 701
memberUid: abhinav
memberUid: akumar

# admins, Group, ldap.example.com
dn: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 702
cn: admins
memberUid: abhinavk

# abhinav, People, ldap.example.com
dn: uid=abhinav,ou=People,dc=ldap,dc=example,dc=com
uid: abhinav
cn: abhinav
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1000
gidNumber: 701
homeDirectory: /home/abhinav
loginShell: /bin/bash
gecos: abhinav
userPassword:: e1NTSEF9NitwODhYZHZnSjliZnJKcElHamdteXhsdUJDSlorNmI=

# akumar, People, ldap.example.com
dn: uid=akumar,ou=People,dc=ldap,dc=example,dc=com
uid: akumar
cn: akumar
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1001
gidNumber: 701
homeDirectory: /home/akumar
loginShell: /bin/bash
gecos: akumar
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=

# abhinavk, People, ldap.example.com
dn: uid=abhinavk,ou=People,dc=ldap,dc=example,dc=com
uid: abhinavk
cn: abhinavk
objectClass: account
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 702
homeDirectory: /home/abhinavk
loginShell: /bin/bash
gecos: abhinavk
userPassword:: e1NTSEF9NVdJdS9yTkIrUlRWelJJMWxHY2UvVzJXNGxmUjYwZ04=

# search result
search: 2
result: 0 Success

# numResponses: 16
# numEntries: 15

There can be n number of host groups and m number of user groups.

So is it possible to allow specific user groups to access only specific host groups?**

For example:

• the group cn=admins,ou=Group,dc=ldap,dc=example,dc=com should be able to access all hosts under hostgroup cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com and "cn=group2,ou=HostGroups,dc=ldap,dc=example,dc=com"

• the group cn=users,ou=Group,dc=ldap,dc=example,dc=com should only be able to access hosts under hostgroup cn=group1,ou=HostGroups,dc=ldap,dc=example,dc=com.

I tried searching online for help. couldn't find anything helpful.

The above LDAP structure is based on my understanding of this post here.

ldap server and client OS is CentOS 6.x and ldap server version is openldap-servers-2.4.39-8.el6.x86_64

Have been stuck at this since Friday. I am guessing something needs to be done with ACLs in the ldap server and base search url in ldap clients. Really not sure about what exactly needs to be done.

Update to this

Reading this post here, gave me an idea to drop host groups entirely and instead use normal groups for each host types. started from scratch ( but very similar to the structure what's above ) I created a object groupOfMembers ( basically posixGroup with a member field in it ), and started making groups and users part of it.

For example:

# gt1, Group, ldap.example.com
dn: cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: groupOfMembers
objectClass: top
gidNumber: 703
cn: gt1
member: cn=admins,ou=Group,dc=ldap,dc=example,dc=com
member: cn=user1,ou=People,dc=ldap,dc=example,dc=com
member: cn=users,ou=Group,dc=ldap,dc=example,dc=com

admins and users are another groups with members and user1 is a user account. I also added this to /etc/pam_ldap.conf file on client side:

pam_groupdn cn=gt1,ou=Group,dc=ldap,dc=example,dc=com
pam_member_attribute member

now when i login with user user1, I am able to. but when i try this with other user admin ( part of admins group ) and appuser ( part of users group ), I get this error message:

You must be a member of cn=gt1,ou=Group,dc=ldap,dc=example,dc=com to login.

Is there any way I can use another group's DN in member field of a group and make pam_ldap to work?