[CentOS] ldap host attribute is ignored

Dear list members,

i have installed a CentOS 7 x86_64 system. I want to let users
authenticate over our ldap server. This seems to be working.
ldap-username and ldap-passwords are accepted for the users configured
in the ldap server. No problem.

Now i want to restrict the access to users who have my centos-machine in
their ldap host attribute.

My problem is, that this host attribute seems to be ignored. Any ldap
user, independent from the host attribute, still can login in.

What could be the reason? (googling around did not lead me to a solution).

The cache is already flushed.

Here is my configuration:

/etc/openldap/ldap.conf contains the line:
------------------------------------------
 pam_check_host_attr     yes

/etc/sssd/sssd.conf:
--------------------
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
ldap_uri = ldap://myldapserver.mydomain
ldap_search_base = o=XXXX
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = False
cache_credentials = False
ldap_tls_cacertdir = /etc/openldap/cacerts/
chpass_provider = ldap
auth_provider = ldap
ldap_tls_reqcert = never
ldap_user_search_base = ou=YYYY,o=XXXX
ldap_group_search_base = ou=YYYY,o=XXXX

access_provider = ldap
ldap_access_filter = memberOf=ou=YYYY,o=XXXX
ldap_access_order = host


/etc/pam.d/system-auth:
-----------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 200 quiet_success
#auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_sss.so      use_first_pass
auth        required      pam_deny.so
auth    sufficient      pam_unix.so     try_first_pass

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 2000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


in /etc/nscd.conf:
------------------
enable-cache            passwd          no
enable-cache            group           no
enable-cache            hosts           no
enable-cache            services        no
enable-cache            netgroup        no


/etc/nsswitch.conf:
...................
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss ldap

publickey:  nisplus

automount:  files sss ldap
aliases:    files nisplus


The ldap attributes of the user who can login, but should not:
--------------------------------------------------------------

dn: uid=USER1,ou=XXXX,o=YYYY
accountStatus: active
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: ibm-auxAccount
objectClass: qmailUser
objectClass: sambaSamAccount
uid: USER1
uidNumber: ****
shadowFlag: 0
shadowInactive: -1
gidNumber: ***
shadowMin: -1
shadowMax: 999999
homeDirectory: /home/USER1
sn: USER1
mail: USER1 at my.doma.in
mailHost: lmtp:unix:/var/lib/imap/socket/lmtp
shadowWarning: 7
sambaSID: *****************************************
shadowExpire: -1
mailAlternateAddress: USER1a
cn: surname lastname
gecos: surname lastname
loginShell: /bin/bash
host: another-node


What information is still missing?

Any hint is welcome.

Thank you in advance, ulrich