Find users currently logged in using ldap?

linux authentication ldap openldap
10,267

Solution 1

AFAIK LDAP does not implement session management - it just provides a directory service - and its data can be cached heavily elsewhere. Also it can provide information other than authentication. So there's no such thing as "logged into LDAP" and no way to practically measure it.

Presumably you maintain your LDAP implementation so that your users can access applications - you'd need to look at these applications to determine who currently has an open session (assuming the applications are stateful - HTTP is not).

Solution 2

Quoting symcbean, "there is no such thing as logged into ldap". But there is such a thing as users who authenticate through ldap.

More specifically, when you configure your host to use an authentication backend like ldap, the Name Service Switch (nsswitch) could (and arguably should) cache your user information to allow you to log into your system. Actually, from my point of view, it does not matter if data is being cached, it is still information comming from that backend.

Users whether they belong to NIS, Unix or ldap backend have an UID. In a proper configured system, UID from one backend should not match those in another backend (usually unix and ldap backends live together).

To finally make my point, you have a /etc/passwd, and the output of getent passwd, which should not match (ldap extends unix backend), therefore you know which users exists solely on ldap. Last, you have last :D which will tell you who logged in when from where, besides the syslog facility auth to double check. You could make a simple script that could tell you which ldap users logged in with this information on a per host basis.

NOTE: if you have duplicated users in unix and ldap, with same IDs then you'r on your own :)

Solution 3

I largely agree woth symcbean's answer (Find users currently logged in using ldap?), but...

You could try parsing the DC's security logs, but that will return a lot of data. Depending on what you want to do with the data long-term, it may be worth sending into a database.

===

I'm not sure about OpenLDAP, but on AD, you can set Group Policy and/or a login script to run (in Windows Batch):

echo logon %username% %computername% %date% %time% >> \\shared\path\FILE_LOCATION.txt

Either parse out the username or computername from FILE_LOCATION.txt, or: Save by computername by:

echo logon %username% %computername% %date% %time% >> \\shared\path\%computername%.txt

Likewise, save by username with:

echo logon %username% %computername% %date% %time% >> \\shared\path\%username%.txt

Solution 4

For us, the command:

users

did the trick.

It lists local, LDAP and SSH user logins. So far as I can tell it only fails to report if root is logged in. We have Ubuntu 12.04 on the clients and server.

We have OpenLDAP backing up our authentication via PAM and NSSwitch with NFS mounted home dirs. It is probably important to get your /etc/idmapd.conf sorted out with a domain declaration is important. (prior to our organization doing so, ls -l would return file owner and group as nobody:nobody on clients but at that time)

Sorry to answer such an old question, but I had the same issue and wound up here for an answer before I sorted it out on my own. Please don't down vote my answer if this does not work for you.

Share:
10,267

Related videos on Youtube

nitins
Author by

nitins

I am Nitin :)

Updated on September 17, 2022

Comments

  • nitins
    nitins over 1 year

    We have Openldap configured here and users are able to use ldap for login to client machines. But any way to check the users currently logged into machines using LDAP ? I would like to find which user has logged into which machine using LDAP ?

  • nitins
    nitins over 13 years
    Can any LDAP monitors accomplish it ?
  • gWaldo
    gWaldo over 13 years
    +1. Each application is responsible for their own session management. When (if) sessions expire, they revalidate against the LDAP server.
  • mfinni
    mfinni over 13 years
    Except that the tags are for Linux and OpenLDAP. Yours is a good answer for AD domains (and i've done similar stuff) but not really applicable for the question. It also doesn't tell you who's currently logged in (which is what the question is really asking), just where they last logged in.
  • gWaldo
    gWaldo over 13 years
    @mfinni - I acknowledged that I wasn't sure if it was possible in OpenLDAP, but the scripts say who logged in where last. LDAP does not maintain state (so you could poll that info directly), but using the information provided by this method (yes, it'd have to be ported to a *nix shell) you could check that machine for logged in users... I admit it's not a complete solution, but it does give an idea that would get you most of the way there. (And further than the asker is now...
  • mfinni
    mfinni over 13 years
    True enough. It probably depends more on what the asker has in his whole environment. LDAP is just LDAP - it's the client side mechanism that determines if anything is done other than "user is authenticated? yes/no". With AD, this is integrated between LDAP, Kerberos, and the GINA at the client side. The questioner hasn't told us what's on his client side, and I don't know if there is a standard LDAP plugin on most Linux distros. PAM, maybe?
  • gWaldo
    gWaldo over 13 years
    Yea, I'm trying to not project my own environment and preferences on the question...
  • nitins
    nitins over 13 years
    Yes, OpenLDAP is used as a central directory with credentials stored in it login to client machines
  • JamesBarnett
    JamesBarnett almost 13 years
    @nitins I believe so, I think that's what a Barracuda Web Filter does, see my answer below.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Allowing LDAP users to change password
How to change expired LDAP user password under linux?
What are the other alternative to test a LDAP connection on linux machine
Using LDAPSEARCH to return all Groups and OU's in an Active Directory domain
ldap_modify: No such object (32)
LDAP+SAMBA login issues
Difference between openldap 2.3 and 2.4
How to copy a LDAP entry and all the subtree on a Linux/openldap server?
How does LDAP handle supplementary/secondary user groups?
How do I modify the value of an attribute with OpenLDAP?