Allow multiple groups to do su(1) with PAM

[Rocky Hotas]

Hi!
A default FreeBSD 11.0 /etc/pam.d/su file contains the following lines:

auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            include         system

Also LDAP users belonging to another group, say `remotewheel', should be allowed to make `su root'.
pam_group(8) seems not to allow multiple choices for the option `group', so a line for each allowed group must be included. Also, the lines should be `sufficient', because the success of one line automatically must exclude the other. I made these modifications:

auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            sufficient      pam_group.so            no_warn group=remotewheel root_only fail_safe ruser
auth            sufficient      pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            include         system

but with this configuration, the root password of the local system is never asked. It should, instead.
After having verified that the user who makes `su root' belongs to `remotewheel' or `wheel', the system should ask the root password. How is it possible to configure PAM this way?
Thank you anyway,

Rocky