Infrastructure Software

I'm currently implementing a centralized authentication system for a mixed Linux & Solaris 10 environment using LDAP and Kerberos. One of my requirements for this is to be able to restrict logins to a specific host by a user's group membership; e.g., a user can only ssh to "host1" if he/she is a member of the group "sysadmins". On the Linux side, we're utilizing pam_access to accomplish this. I've yet to find a solution on the Solaris side that I can make work.

From some google searching, it appears that pam_projects may be usable for this purpose, but the documentation has not proved helpful to me. I've also tried porting pam_access from Linux-PAM to Solaris, and can get this close to working, but not fully working. It builds correctly (after applying some source patches found on the PAM mailing list) and can restrict based upon user and local (i.e. not from LDAP) group, but hangs attempting an LDAP lookup for groups not found locally. Unfortunately, the groups by which I need to restrict all reside within LDAP. In the interest of full disclosure, I'm using PADL's nss_ldap module in place of Sun's implementation. The NSS can obtain group information just fine (tested via getent), so that's not the problem.

Can anyone guide me on a method for meeting my ultimate goal of group-based restriction for logons? If anyone can a) point me to documentation on using pam_projects for this purpose, b) help me debug my pam_access problem, or c) help me find another adequate and working solution, I would appreciate it greatly.