This is every SysAdmin's nightmare of things to do. Basically we want to control who has access to which hosts. As simple it may sound, the problem is to find a scalable and low maintenance(mgmt. overhead) solution. We use bcfg2 for Config Mgmt much like Cfengine & puppet.
Some ways:
Netgroups is very scalable but comes with a huge mgmt overhead. Maintaining hosts, group of hosts, user netgroups(separate from ldpa groups) seems like a very big burden, but is doable.
ldap.conf (go to the post by jmozdzen on 1st July) and LDAp based access control. We could template the ldap.conf for each host and create a group with hostname and members as users. But the downside is you cannot specify ldap group(team of users) for access but only individually.
sshd_config restriction. But that doesn't work if the users log in natively.
Host attribute check. By un-commenting pam_check_host_attr in ldap.conf and add the hostname to each user works well, but automation is not easy.
Anybody has a different approach to this problem and that scales well and automated?
I use something similar to your "Option 2" -- an LDAP (pam_ldap/nss_ldap) setup where each class of server has a group in LDAP (db, web, etc.), and the members of that group are allowed to log in to that class of server. This is about the same overhead as netgroups, but it works well because our user lists are relatively static (you have access to a list of machines, and that access is pretty much forever).
We don't allow console logins for LDAP users (only the emergency service & root accounts can log in locally, and those passwords are carefully guarded), so the ldap-specific restrictions only need to be applied to sshd in our case.
Another interesting approach is suggested in OpenLDAP's nssov module. See the README for details.