It was mostly about syncing groups with proxmox. Worked by patching the LDAP provider to support our schema. Comment was more about the extensibility problem when doing this. Actually when you say this, I wonder how PAM could work, only ever used it for providing shell access: we typically do not have any local users on the machine. Never used PAM in a way not providing any local execution privileges (which is the whole point of a VM host).

pam groups are not synced into proxmox for permission management :(

Apparently with OIDC (with group claims), Proxmox can map group membership from OIDC tokens and autocreate or map groups dynamically at user login