I have to limit logon time access for some users. I have googled and found it is possible with pam modules and time.conf.
My question is: is it possible to do the same but with groups so, instead of dealing with users, just gather these users and set limited logon time to this group?
I am using an ldap server with centos7.
Yes this can be accomplished with some work with a combination of pam_listfile and pam_time. You will have to fill in the details but here is the skeleton in your pam.conf
auth [success=1 default=ok] pam_listfile.so item=group sense=deny file=/path/to/restricted/groups onerr=fail
account required pam_time.so ...
The success=1 means, if this module returns success, then skip the next 1 module. I.e. if the user is not in any of the denied groups, don't run pam_time.so, otherwise do run it.
