I am running Red Hat Enterprise Linux 6.6 and for authentication we use LDAP authentication. We have running application on a server (doesn't really matter which one it is) and the way application work is it basically uses OS just to authenticate user, everything else is handled in application.
Here is the problem I have, occasionally users share their usernames and password which is against our policy, but I don't know when that happens (few of them admitted and they were disabled soon after). What I came accross when user is authenticating, application tells OS "authenticate this user", OS is set to use LDAP and LDAP is using PAM module.
What I want to do at the level of authentication is to run script to check user's incoming IP address and check if it has multiple sessions, if user have multiple sessions, check IP address from session and see if they match. This is the best I can come up with since user cannot be at two machines at the time.
I know that there is a way to restrict user per IP, but some users have laptops and they move around, thus their IP is assigned dynamically and changes all the time. At the same time it would be nightmare to maintain 600+ IP users and addresses.
Any suggestions?
