I'm having some problems replicating prior pam_check_host_attr=yes approaches where wildcards were used when going from Centos6 to Centos7.

The quick challenge is the following does not work:

pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=*.$dn))

But ldapsearch -x "(&(objectClass=posixAccount)(uid=myname)(host=_.group.company.com))" does work, where a host attribute value of '_.group.company.com' should allow access to all hosts with that domain name.

Explicitly putting pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=*.group.company.com)) ALSO works (when on an appropriate box), something about $dn.

confirmed 'hostname -d' on the commandline returns group.company.com, but unsure why the configuration above doesn't work.

Serverfault post: http://serverfault.com/questions/701867/centos7-pam-authz-search-for-group-company-com

nss-pam-ldapd-0.8.13-8.el7.x86_64 version with centos7.

It appears maybe $dn is for ldap distinguished name, not domain name. Is there an acceptable variable for domain name?

$dn is indeed the LDAP distinguished name of the user. There is currently nothing like $domain in nslcd.conf although it shouldn't be too difficult to implement.