Мои рекомендации:
I was able to solve the problem by setting the pam_filter
in /etc/ldap.conf
:
# Filter to AND with uid=%s
pam_filter AppRoles=cn=RW,ou=ApplRoles,ou=App,ou=Applications,dc=company,dc=CH
The password will only be transmitted to the LDAP Server as a new bindRequest, if the the user Filter and the pam_filter will return attributes. So the user has to be in this group to be able to check the credentials.