How can I limit the number of desktop machines, within a private, all-Linux LDAP-authenticated network, that a single user account is logged in to at one time?
Here is the scenario to prevent: A user with a valid account logs in on that same account to 10 different desktops so that he can play games with his 9 friends; none of those friends have valid accounts on the network.
The server is RHEL 5 with OpenLDAP, desktops are Fedora 11 (will be CentOS 5.4 when available). All desktop logins are via LDAP on the server.
Note: Limiting concurrent logins on a single machine can be done with maxlogins
in /etc/security/limits.conf
, but this is useless in the stated scenario.
Also note: On a Windows network with Active Directory, software such as UserLock and LimitLogin can accomplish this; but this network has no Windows and no AD server.
EDIT: I realize LDAP can't do this by itself; if there is a mature, well-tested add-on product, similar to the aforementioned Windows-based products, then that would be good news. I will even consider non-gratis/non-libre solutions.
Best Answer
After searching it doesn't look like LDAP or Kerberos will do this. Apparently there is no attribute for it in LDAP and there really is no way for it to work from an LDAP perspective. There's no logout from LDAP, so it would never be able to decrement the login count.
Given this, it appears that the solution will have to be ad hoc.
You'll need a service that monitors
/var/run/utmp
or the commandw
(shows users currently logged in) on each machine and reports it to a central server by some mechanism (nfs mount + text file, for example).Then, you'll need a login script that kicks the user out if they've exceeded the limit of concurrent logins. The login script would read from the central server what the current login count is. Alternatively, you could have a service that modifies the
maxlogins
in/etc/security/limits.conf
based on the value of the login count retrieved from the central server.maxlogins = $total_logins - $current_logins
Basically, the most important consideration is that the users don't have permission to change the login count themselves or they could just manually change the value to allow more logins.