acct across a network with centralized LDAP authentication?

Posted by irenefm on Thu 11 Jan 2007 at 15:29

Tags: acct, nfs, questions

I have set up a network with centralized user authentication through LDAP and access to home directories with NFS. I would now like to monitor user's connection time and usage, but across the network, rather than on a per-machine basis.

They are Debian Sarge systems, with GNOME desktops, and users login through gdm. The server is also Debian Sarge, with OpenLDAP.

On a single machine, I would use acct, but haven't found any equivalent for this purpose on a network basis, Does anyone know if there is such a package?

Since I couldn't find a package, I have been trying my own solutions, based on the idea of having common utmp and wtmp files accessible to all machines, in which they would write accounting information.

I have implemented this as follows:

Set up another NFS share with common wtmp and utmp files
Add sessreg entries to /etc/X11/gdm/PreSession/Default (and PostSession) similar to those already there, changing only the file to write the info into.

However, I have come across some problems:

How to include information in the common wtmp and utmp files about which machine the user was actually on: when two users logged in to ':0' display, the first one is thought to have logged off, since two users cannot be logged in there at the same time.

I fixed this by modifying the sessreg command again, changing the display entry to ':0.machinename' which doesn't seem very elegant...
PID problems: I would like to get information about users currently logged in, but if I try to do this from a "control machine", the users appear to be "gone --no logout". I believe this is because the PID that wrote the entry to the wtmp and utmp files is not there (it is in another machine).

Only way I found to solve this was logging in to each machine and invoking acct commands from each one (so that the PID is found).
PID problems: Keeping two parallel accountings: Individual machines, and global across the network.

My first thought was it would be good to keep machine based accounting intact, and add the global accounting through different files. However, the only way I found of adding a sessreg entry to the /etc/X11/gdm/PreSession/Default, and avoid PID problems like the above, was using an "exec sessreg..." call, so that I could only include one sessreg command. (The script exits after that).
Found no solution to that so far.

In short, I'm not very happy about this setup, and wonder if anyone knows of a better answer, some way of merging the individual wtmp and utmp files, or an acct alternative for a "multi-machine" context.

Thanks for your help!

maybe a cluster would fit the bill

Posted by shavenwarthog (76.168.xx.xx) on Thu 11 Jan 2007 at 17:24
[ Send Message ]

A possibility would be to shift all the machines over to a clustering system. Instead of having many independent machines with shared file system and authorization, you'd have a single computer with many CPUs and many displays.

As it turns out, this is an easy idea to get started with. The live CD for ClusterKnoppix: 1) is based on Debian, 2) doesn't touch the local hard drive, and 3) has clustering support. http://clusterknoppix.sw.be/

This page illustrates how to have X on your master server, as well as on all your clients, which sounds like what you'd want:
http://clusterknoppix.sw.be/xx.htm

(In fact, this sounds easy and fun, so maybe I'll put Mosix on my random hardware. yay)

[ Parent | Reply to this comment ]

Re: maybe a cluster would fit the bill

Posted by dennismp (200.32.xx.xx) on Thu 11 Jan 2007 at 21:29
[ Send Message ]

Greetings,
I did not know about acct, looks pretty interesting but then as you said, seems like it is does accounting on a localhost basis. Well here is another idea that i wish to implement.

I want use a php/mysql based system that will be hosted on a web/database server.
The database will store
Username
Machine Name
Date
Time spent at machine

A simple page that updates the database with the info will need to be created.
Then using the gnome's session start and end files (/etc/gdm/PreSession /etc/gdm/PostSession) that php page can be called using links and output redirected to null.

I think it should work..
What do you think?

[ Parent | Reply to this comment ]

Re: Syslog-ng?

Posted by mpapet (208.179.xx.xx) on Fri 12 Jan 2007 at 23:56
[ Send Message ]

I may be totally misreading this, but why can't you have remote syslog-ng's just forward login activity to a central syslog server?

Let the clients do the work when they are being used.

You search/sort logs for activity on the central server and have it emailed to you on whatever schedule you like.

[ Parent | Reply to this comment ]

Re: Syslog-ng?

Posted by El_Cubano (66.93.xx.xx) on Sat 13 Jan 2007 at 17:57
[ Send Message ]

I agree. The remote syslog approach is the first thing that occurred to me after reading the article. It would be quite easy to whip up a utility that periodically parses the log files looking for login/logout events, which are logged both for local (console or display manager) events and remote (ssh) events.

--
Roberto C. Sanchez
http://people.connexer.com/~roberto

[ Parent | Reply to this comment ]

Re: Syslog-ng?

Posted by yarikoptic (69.115.xx.xx) on Mon 15 Jan 2007 at 00:12
[ Send Message ]

indeed remote syslog (better be using syslog-ng ;-) )
isn't the full goal would be also to get also commands history (man lastcomm) together to one box?

since BSD accounting (the one enabled/organized by acct package) is a kernel feature, then I guess network logging has to be done in kernel, thus sounds a bit tricky.

easier would be probably simply to copy /var/log/account/pacct daily (may be simply by adjusting existing /etc/cron.daily/acct) to the "server" host, prepending with host name and date. Then it can be easily viewed by lastacct -f

[ Parent | Reply to this comment ]

Contribute

Current Poll

Recent Weblogs

More Weblogs

Debian Administration

System Administration Tips and Resources