Hi again everyone,
Having gotten an excellent (and quite simple) response to my query about automatic homedir creation upon ssh login, i'm going to push my luck (expecting @ any moment to receive responses with RTFM or somethings close to that sentiment in them).
Our goal is to allow not just *any* LDAP user in our openldap (version 2.4.40) directory, but only those specified as members of a particular group (in our LDAP). We have a custom LDAP attribute (groupSR) that is attached directly to the user's entry (ou=People,uid=<user-login-name>) or we could easily also populate a "more standard" (cn=<groupname>) entry (with memeberUID attributes corresponding to the "allowed SSH users") in the ou=Group branch of our directory.
Pretty sure this was set up quite some time ago here, but the colleagues who I collaborated with to do it are no longer working with me, and I can't for the life of me remember how exactly it was done...
as always, thanks so much for any assistance, as well as for all that everyone does for debian,
~c