If you have linux boxes that authenticate over ldap but want logins for specific boxes to be restricted to a particular group, there is a simple way to achieve this.
Firstly, create a new file called /etc/group.login.allow (it can be called anything – you just need to update the line below to reflect the name)
In this file, pop in all the groups that should be able to login
admin group1 group2
Edit /etc/pam.d/common-auth (in ubuntu), it might be called /etc/pam.d/system-auth or something else very similar. At the top of the file (or at least above other entries, add the following line:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/group.login.allow
For the record, found this little tidbit over at the centos forums