Restricting group pam logins
pam_login is documented but not how to allow only special users to login from LDAP DC or equal local group.
With this setting a group or user from LDAP gets only a granded login if listed in the /etc/passwd file with +@ by a user or group entry.
This is used for all PAM logins: SSH, FTP, MySQL() or what ever you use with PAM.
This is a passwd feature.