After searching it doesn't look like LDAP or Kerberos will do this. Apparently there is no attribute for it in LDAP and there really is no way for it to work from an LDAP perspective. There's no logout from LDAP, so it would never be able to decrement the login count.
Given this, it appears that the solution will have to be ad hoc.
You'll need a service that monitors /var/run/utmp
or the command w
(shows users currently logged in) on each machine and reports it to a central server by some mechanism (nfs mount + text file, for example).
Then, you'll need a login script that kicks the user out if they've exceeded the limit of concurrent logins. The login script would read from the central server what the current login count is. Alternatively, you could have a service that modifies the maxlogins
in /etc/security/limits.conf
based on the value of the login count retrieved from the central server.
maxlogins = $total_logins - $current_logins
Basically, the most important consideration is that the users don't have permission to change the login count themselves or they could just manually change the value to allow more logins.
I have struggle one this one as well for some time. Firstly check the version of openssh is >6.2 then the syntax of the sshpublickey from gosa.
I had it on Debian 7.7 then dist upgrade to Debian 8 to get the latest openSSH features.
Do
ldapsearch -x '(&(objectClass=posixAccount)(uid='<Your user>'))' sshPublickey
If you have added it with gosa it will probably say something like
sshPublicKey::c3NoLXJzYSBBQUFBQ........ bla bla
This is because it is getting hashed in someway that I haven't figured out yet but you can at this manually with creating a file called e.g sshkey.ldif
and add the following content
dn: cn=Jonas Pedersen,ou=people,dc=kirk,dc=local
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa <your_key> "Comment" jkp@aptproxy
Then modify it with ldapmodify
ldapmodify -x -D cn=admin,dc=kirk,dc=local -W -f sshkey.ldif
My entries looked like this with Gosa and with ldapmodify
Then take a look here ldap-ssh-key
Best Answer
No, there isn't an official "CentOS way" for managing users in LDAP. Which is a bit infuriating, since the default useradd/usermod/etc. tools only work with the default /etc/passwd scheme. The official LDAP server is openldap, and there are some basic command line tools available, but nothing that is out-of-the-box easy to use for user management. We use a web-based system called Gosa, another popular option is home-grown scripts built on top of the command-line LDAP tools.