Configure the Linux-PAM using SSSD

Configure the Oracle Identity Cloud Service Linux Pluggable Authentication Module (PAM) on Linux using the SSSD service.

Note:

The following prerequisites must be met before proceeding with the configuration.

The SSSD service should be installed. If it is not installed, install via sudo yum install sssd.
The service must be configured to start when the system reboots. You can perform this configuration via sudo chkconfig sssd on.
The property SELINUX must be set as permissive or disabled in file /etc/selinux/config. If it is not set, then set SELINUX=permissive or SELINUX=disabled.
Restart Linux to incorporate the above changes.

Verify the /etc/sssd/sssd.conf file exists, has 600 permission, and is owned by the root user. If the file does not exist create it as follows and run chmod 600 /etc/sssd/sssd.conf.

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = proxy_proxy
[nss]
fallback_homedir = /home/%u
default_shell = /bin/sh
   
[pam]
[domain/proxy_proxy]
auth_provider =  proxy
id_provider = proxy
proxy_lib_name = oracle_cloud
proxy_pam_target = sssd_proxy_oracle_cloud
enumerate =  false
cache_credentials = true
debug_level = 5
min_id = 500

Optionally, you can configure email addresses as the SSO usernames. To do this, add the line in bold (below) to the /etc/sssd/sssd.conf file to specify the regular expression.

...
[pam]
[domain/proxy_proxy]
re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
auth_provider =  proxy
id_provider = proxy
...

Verify the /etc/pam.d/sssd_proxy_oracle_cloud file exists and is owned by the root user. If the file does not exist then create it as the root user and add the following:
/etc/pam.d/sssd_proxy_oracle_cloud file
```
auth          required      pam_oracle_cloud.so
account       required      pam_oracle_cloud.so
password      required      pam_oracle_cloud.so
session       required      pam_oracle_cloud.so
```
Edit the /etc/pam.d/sshd and add the pam_oracle_cloud module:
/etc/pam.d/sshd
```
auth sufficient pam_oracle_cloud.so
```
Note:
Add this either after the line auth include password-auth, or before the line auth substack password-auth*.
Edit the /etc/ssh/sshd_config to configure sshd to allow the use of Multi-Factor Authentication:

/etc/ssh/sshd_config

Search for the ChallengeResponseAuthentication property and set it to yes. If the property is not in the configuration file, add it.

Edit the /etc/opc.conf to allow the plugin to interact with Oracle Identity Cloud Service:

/etc/opc.conf

#This is sample format of opc.conf file, please use the correct information to configure this file.
#Enter the Oracle Identity Cloud Service tenancy base url.
base_url = https://identity-cloud-service-instance-url
#There is no need to change value of scope.
scope = urn:opc:idm:__myscopes__
#Enter the location of the wallet.
wallet_location = /etc/opc-wallet
#Enter the log level, this is optional and the default is 0, which means no log. 0 - None, 1 - Error, 2 - Info, 3 - Debug.
log_level = 0
#Enter the log file path, this is optional and defaults to /var/log/opc/pam_nss.log
log_file_path = /var/log/opc/pam_nss.log
#Enter the value for proxy usage to connect to Oracle Identity Cloud Service. Set the value to 1 to use a proxy and 0 to not use a proxy.
use_proxy=1
#Enter the information below if you set: use_proxy=1
#Enter the proxy url
proxy_url=http://proxy.example.com
#Enter the proxy port
proxy_port=80
#Enter the username to connect to the proxy url.
proxy_username=username_example
#Enter the password of username to connect proxy url.
proxy_pwd=pwd_example

Restart sssd and sshd:
- authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --update
- service sshd restart
- service sssd restart