I want only user "theuser" to login to this host.
I have tried the following in nslcd.conf:
pam_authz_search (&(objectClass=posixAccount)(IsActive=TRUE)(uid=theuser)) but all can login. If instead of pam_authz_search I use the "filter" command, it works, but getent returns only one user, the "theuser".
UPDATE: OS is ubuntu 12.10, I'm using libpam-ldapd NOT libpam-ldap
You can control who logs into a server (regardless of the source of the user database) with the /etc/security/access.conf file. For this mechanism, you need to enable the pam_access module (generally for the account stage). Either in /etc/pam.d/common-account for all services, or something like /etc/pam.d/sshd to make it only effective to ssh connections.
Check the man pages for access.conf and pam_access for the details.
For a RHEL6 for example:
edit the /etc/pam_ldap.conf with something like:
pam_filter |(uid=myuid)
and leave the /etc/nslcd.conf unmodified. This will allow you to browse all users using "id someuser" but only allow "myuid" to login.
There's also AllowUsers and AllowGroups in /etc/ssh/sshd_config which can also be used for access control, presuming they only have ssh access to the box.
