SLES12 has changed the LDAP client integration a lot, as we can read in

We have a SLES11 system that restricts access by LDAP group through an pam_groupdn definition in /etc/ldap.conf.

/etc/ldap.conf is not present in SLES12, and I wonder how we can implement LDAP group restrictions with sssd.

I tried the following in the domain definition of /etc/sssd/sssd.conf

[pam] |
ldap_access_filter = memberOf=cn=...

Unfortunately, this filter does not seem to be effective.

The filter_groups statement in the [nss] section only allows to exclude groups to my knowledge, we are looking for a way to include / permit only a few groups.

Regards, Thomas