pam_ldap authentication based on pam_groupdn

[Jason Lixfeld]

I'm wondering if someone can point out my error here.  I've got PAM 
authenticating ssh users like so:

auth            required        pam_nologin.so                  no_warn
auth            sufficient      pam_opie.so                     no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so               no_warn 
allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so      
config=/usr/local/etc/openldap/ldap-ssh.conf debug      try_first_pass
auth            required        pam_unix.so                     no_warn 
try_first_pass
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so      debug
account         required        pam_unix.so
session         required        pam_permit.so
password        sufficient      /usr/local/lib/pam_ldap.so      debug
password        required        pam_unix.so                     no_warn 
try_first_pass

bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
host 127.0.0.1
base dc=example,dc=com
rootbinddn cn=proxyuser,dc=example,dc=com
scope one
#pam_filter objectclass=posixaccount
#pam_login_attribute uid
pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
pam_member_attribute memberuid
pam_password SSHA
nss_base_passwd         ou=users,dc=example,dc=com?one
nss_base_shadow         ou=users,dc=example,dc=com?one
nss_base_group          ou=groups,dc=example,dc=com?one

So I'm trying to permit users who are only members of the group "ssh".  
As per this ldap entry below, this one user should only be permitted to 
ssh in:

dn: cn=ssh,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ssh
gidNumber: 10009
memberUid: testuser.discord.ca

This isn't working.  Anyone can ssh in so I'm not sure what I'm doing 
wrong.

I have an nss_ldap.conf which the pam queries also, but will a config 
explicitly configured as I have done above override the the 
nss_ldap.conf?

Any ideas?