Pam_ldap group access

[Indexer <indexer@internode.on.net>]

I have recently been using openLDAP on a server for authentication. I have user auth working happily, but when i try and enable group_membership, it is not enforced. When a user with the correct group membership logs in, everything is happy, but when a user without the membership logins a notice appears that says "You must be a memberUid of cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan to login.", but the user is still able to continue and login, and it is not enforcing the group membership. 

Many thanks, for your help (again)

Here is my nss_ldap.conf (/etc/ldap.conf)

base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.chocolate.lan
ldap_version 3
scope sub
timelimit 3
bind_timelimit 3
bind_policy soft

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan
pam_member_attribute memberUid

pam_password clear

pam_password exop
nss_base_passwd         ou=Users,dc=chocolate,dc=lan?sub
nss_base_passwd         ou=Computers,dc=chocolate,dc=lan?sub
nss_base_shadow         ou=Users,dc=chocolate,dc=lan?sub
nss_base_group          ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub

ssl on
ssl start_tls
tls_cacert /usr/local/etc/openldap/keys/cacert.crt

tls_checkpeer no

And my pam.d/sshd

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn
auth            required        pam_unix.so             no_warn use_first_pass

account         required        pam_nologin.so
account         required        pam_login_access.so
account         optional        pam_unix.so
account         optional        /usr/local/lib/pam_ldap.so

session         required        pam_permit.so
session         optional      /usr/local/lib/pam_ldap.so

password        sufficient      pam_unix.so             no_warn use_first_pass