fedora - login to cockpit web gui using ldap credentials

Question

Fedora 39 server configured to allow ldap users to login if they are member of a specific ldap group. The same ldap group is in the sudoers file, so after login users can sudo (set to allow sudo without password).

The ldap config is set in the sssd.conf file.

Everything is working as expected for ssh logins.

My issue is that the same users able to login via ssh are not able to login to the cockpit web gui. They get a "Permission Denied" error.

What permissions are missing to login to cockpit and how do i assign them to the ldap group members?

When they try to login the secure log file shows these lines, so the authentication itself is ok:

    cockpit-session[14744]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:172.16.100.130 user=utest
    cockpit-session[14744]: pam_unix(cockpit:session): session opened for user utest(uid=3001) by utest(uid=0)

This is the /etc/pam.d/cockpit file:

    auth        required                                     pam_env.so
    auth        required                                     pam_faildelay.so delay=2000000
    auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
    auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
    auth        sufficient                                   pam_unix.so nullok
    auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
    auth        sufficient                                   pam_sss.so forward_pass
    auth        required                                     pam_deny.so
    
    account     required                                     pam_unix.so
    account     sufficient                                   pam_localuser.so
    account     sufficient                                   pam_usertype.so issystem
    account     [default=bad success=ok user_unknown=ignore] pam_sss.so
    account     required                                     pam_permit.so
    
    password    requisite                                    pam_pwquality.so local_users_only
    password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
    password    [success=1 default=ignore]                   pam_localuser.so
    password    sufficient                                   pam_sss.so use_authtok
    password    required                                     pam_deny.so
    
    session     optional                                     pam_keyinit.so revoke
    session     required                                     pam_limits.so
    -session    optional                                     pam_systemd.so
    session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
    session     required                                     pam_unix.so
    session     optional                                     pam_sss.so

Please help. I have no idea how to troubleshoot and fix this cockpit permissions issue.