Oracle Cloud Infrastructure Documentation

Installing and Configuring the Linux PAM

The Pluggable Authentication Module (PAM) allows you to integrate your Linux environment with IAM to perform end-user authentication with first and second factor authentication.

Topics:

What is the Linux PAM?

The PAM is an authentication module for Linux that performs end-user authentication with IAM.

The PAM also allows Linux administrators, or end users, to query information about users and groups stored in IAM using standard Linux commands that utilize NSS such as id, group, and getent.

Why use the Linux PAM?

Use the PAM when you want to authenticate users in Linux using IAM.

An organization might have large numbers of Linux servers, making management of users, for example creating, modifying, or deleting users, a time intensive and costly activity. With the Linux PAM you can manage Linux users centrally in IAM, providing cost and time savings.

Linux administrators can utilize IAM to authenticate end users. End users can log in to a Linux server, for example with SSH, and authenticate with their IAM user credentials. In addition, the multi-factor authentication offerings of IAM can be utilized so end users are prompted to authenticate with a second factor such as a One Time Password code sent using Email, SMS, a Mobile Authenticator application, or authenticate using security questions. As well as authenticating with single or multiple factors, administrators, and end users can use NSS and standard Linux commands to query user and group information.

Certified Components for the Linux PAM

The following table lists the certified releases for IAM and your operating system (which is required for the Linux Pluggable Authentication Module (PAM) to run).

Note

Every PAM download includes all certified components.
64-Bit Operating System

Yes. (x86_64)

Oracle Linux 6

Oracle Linux 7

Oracle Linux 8

Using the Console

Install and Configure the Linux PAM

Learn how to download, install, and configure the Linux Pluggable Authentication Module (PAM).

Downloading the Linux PAM

To download the Linux Pluggable Authentication Module (PAM), see Downloading SDKs and Applications.

Installing the Linux PAM

To install the Linux Pluggable Authentication Module (PAM) on your Linux environment, you install the PAM rpm's along with some dependencies:

  1. Extract the downloaded zip file to a directory of your choice. This will extract the pam_oracle-cloud.rpm and authn_oracle_cloud.rpm.
  2. Check the curl and json-c Linux dependencies are installed:
    • As the root user, run the following commands:
      • yum list installed | grep curl.x86_64
      • yum list installed | grep json-c.x86_64
    • If they aren’t installed, run the following commands:
      • yum install json-c
      • yum install curl
  3. Change to the directory where you extracted the zip file:
    • cd <folder where pam_oracle-cloud.rpm resides>
  4. Install the PAM rpm's as the root user.
    • If using yum:
      • yum install pam_oracle-cloud.rpm authn-oracle-cloud.rpm
    • If using rpm:
      • rpm -Uvh pam_oracle-cloud.rpm authn-oracle-cloud.rpm
    A successful installation will install the following files:
    • pam_oracle_cloud.so in /lib64/security
    • libnss_oracle_cloud.so.2 in /lib64
    • libauthn_api.so in /usr/lib64/idcs-pam
    • libclntsh.so.11.1 in /usr/lib64/idcs-pam
    • libnnz12.so in /usr/lib64/idcs-pam
    • opc.conf in /etc
    • walletMgr in /usr/bin
Configuring a Confidential Application

To register the IAM Linux Pluggable Authentication Module (PAM) as a client application in IAM, you create a confidential application with the POSIX Viewer role.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
  2. Click Add application.
  3. In the Add application window, click Confidential Application, and then click Launch workflow.
  4. In the Add Confidential Application page, enter a Name for the application. Click Next.
  5. On the Add Confidential Application page, click Configure this application as a client now.
  6. In the Authorization section, select these two Allowed grant types:
    • Client Credentials
    • JWT Assertion
  7. Click Add app roles.
  8. In the Add app roles dialog box, select these roles:
    • Me
    • POSIX Viewer
    • Signin
    • Identity Domain Administrator or User Administrator
  9. Click Add.
  10. Click Next.
  11. Click Finish.
  12. Record the Client ID and Client Secret in the General Information section.
    To integrate with your confidential application, use this ID and secret as part of your connection settings. The Client ID and Client Secret are equivalent to a credential (for example, an ID and password) that your application uses to communicate with IAM.
  13. Return to the Add app roles dialog box, and remove the following administrator role: Identity Domain Administrator or User Administrator . If you don't remove roles, the application will fail during testing.
  14. At the top of the page, to the right of the application name, click Activate.
  15. In the Activate application dialog box, click Activate application.
Creating a Wallet

Configure a wallet on your Linux environment to store the client_id and client_secret of the confidential application with the POSIX Viewer role. This enables the Linux Pluggable Authentication Module (PAM) to communicate securely with the confidential application.

On the Linux environment, run the following commands as the root user:
  • walletMgr add <wallet_location> client_id <client_id>
  • walletMgr add <wallet_location> client_secret <client_secret>
For example: 
$ walletMgr add /etc/opc-wallet/ client_id b6d001f65da542c38ceb284ea8a05926

wallet initialized successfully.
key client_id is added successfully in wallet.
$ walletMgr add /etc/opc-wallet/ client_secret fea39433-5115-4050-b486-138cce381fb2

wallet initialized successfully.
key client_secret is added successfully in wallet.

Configuring the Linux PAM

Configure the Linux Pluggable Authentication Module (PAM) on your Linux environment.

The PAM is configured using either the SSSD or NSCD service on Linux.

Note

The PAM can't be configured using both SSSD and NSCD simultaneously. Choose one configuration only. Choosing whether to use SSSD or NSCD is dependent on how your Linux environment is currently configured. Contact your Linux Administrator for details.
Configuring the PAM using SSSD

Configure the Linux Pluggable Authentication Module (PAM) on Linux using the SSSD service.

  • The SSSD service must be installed. If it is not installed, install via sudo yum install sssd.
  • The service must be configured to start when the system reboots. You can perform this configuration via sudo chkconfig sssd on.
  • The property SELINUX must be set as permissive or disabled in file /etc/selinux/config. If it is not set, then set SELINUX=permissive or SELINUX=disabled.
  • Restart Linux to incorporate the above changes.
  1. Verify the /etc/sssd/sssd.conf file exists, has 600 permission, and is owned by the root user. If the file doesn’t exist create it as follows and run chmod 600 /etc/sssd/sssd.conf.

    /etc/sssd/sssd.conf 

    [sssd]
config_file_version = 2
services = nss, pam
domains = proxy_proxy
[nss]
fallback_homedir = /home/%u
default_shell = /bin/sh
   
[pam]
[domain/proxy_proxy]
auth_provider =  proxy
id_provider = proxy
proxy_lib_name = oracle_cloud
proxy_pam_target = sssd_proxy_oracle_cloud
enumerate =  false
cache_credentials = true
debug_level = 5
min_id = 500
    Optionally, you can configure email addresses as the SSO usernames. To do this, add the line in bold (below) to the /etc/sssd/sssd.conf file to specify the regular expression. 
    ...
[pam]
[domain/proxy_proxy]
re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
auth_provider =  proxy
id_provider = proxy
...
  2. Verify the /etc/pam.d/sssd_proxy_oracle_cloud file exists and is owned by the root user. If the file doesn’t exist, then create it as the root user and add the following:

    /etc/pam.d/sssd_proxy_oracle_cloud file 

    auth          required      pam_oracle_cloud.so
account       required      pam_oracle_cloud.so
password      required      pam_oracle_cloud.so
session       required      pam_oracle_cloud.so
  3. Edit the /etc/pam.d/sshd and add the pam_oracle_cloud module:

    /etc/pam.d/sshd 

    auth sufficient pam_oracle_cloud.so
    Note

    The above has to be added before the following line: auth include password-auth. Ensure that the configuration looks like the following:
    auth required pam_sepermit.so
auth sufficient pam_oracle_cloud.so
auth include password-auth
auth include postlogin
  4. Edit the /etc/ssh/sshd_config to configure sshd to allow the use of Multi-Factor Authentication:

    /etc/ssh/sshd_config

    Search for the ChallengeResponseAuthentication property and set it to yes. If the property isn’t in the configuration file, add it.

  5. Edit the /etc/opc.conf to allow the plugin to interact with IAM:

    /etc/opc.conf 

    #This is sample format of opc.conf file, please use the correct information to configure this file.
#Enter the Oracle Identity Cloud Service tenancy base url.
base_url = https://identity-cloud-service-instance-url
#There is no need to change value of scope.
scope = urn:opc:idm:__myscopes__
#Enter the location of the wallet.
wallet_location = /etc/opc-wallet
#Enter the log level, this is optional and the default is 0, which means no log. 0 - None, 1 - Error, 2 - Info, 3 - Debug.
log_level = 0
#Enter the log file path, this is optional and defaults to /var/log/opc/pam_nss.log
log_file_path = /var/log/opc/pam_nss.log
#Enter the value for proxy usage to connect to Oracle Identity Cloud Service. Set the value to 1 to use a proxy and 0 to not use a proxy.
use_proxy=1
#Enter the information below if you set: use_proxy=1
#Enter the proxy url
proxy_url=http://proxy.example.com
#Enter the proxy port
proxy_port=80
#Enter the username to connect to the proxy url.
proxy_username=username_example
#Enter the password of username to connect proxy url.
proxy_pwd=pwd_example
  6. Restart sssd and sshd:
    1. For OEL6 & OEL7: authconfig --enablemkhomedir --enablepamaccess --update.
    2. For OEL8: authselect select sssd with-mkhomedir with-pamaccess.
    3. Run: service sshd restart.
    4. Run: service sssd restart.
Configuring the PAM using NSCD

Configure the Linux Pluggable Authentication Module (PAM) on Linux using the NSCD service.

  • The NSCD service should be installed. If it's not installed, install using sudo yum install nscd.
  • The service must be configured to start when the system reboots. You can perform this configuration using sudo chkconfig nscd on.
  • The property SELINUX must be set as permissive or disabled in file /etc/selinux/config. If it's not set, then set SELINUX=permissive or SELINUX=disabled.
  • Restart Linux to incorporate the above changes.
  1. Edit the /etc/nsswitch.conf and add oracle_cloud as follows:

    /etc/nsswitch.conf 

    passwd:     files oracle_cloud
group:      files oracle_cloud
  2. Edit the /etc/nscd.conf and enable caching in the nscd service:

    /etc/nscd.conf 

    enable-cache        passwd      yes
enable-cache        group       yes
  3. Edit the /etc/pam.d/sshd and add the pam_oracle_cloud module:

    /etc/pam.d/sshd 

    auth sufficient pam_oracle_cloud.so
#Note: the above has to be added before the following line:
auth include password-auth
  4. Edit the /etc/ssh/sshd_config to configure sshd to allow the use of Multi-Factor Authentication:

    /etc/ssh/sshd_config 

    #Search for the ChallengeResponseAuthentication property and set it to yes
ChallengeResponseAuthentication  yes
  5. Edit the /etc/opc.confg to allow the plugin to interact with IAM:

    /etc/opc.conf 

    #This is sample format of opc.conf file, please use the correct information to configure this file.
#Enter the IAM tenancy base url.
base_url = https://identity-cloud-service-instance-url
#There is no need to change value of scope.
scope = urn:opc:idm:__myscopes__
#Enter the location of the wallet.
wallet_location = /etc/opc-wallet
#Enter the log level, this is optional and the default is 0, which means no log. 0 - None, 1 - Error, 2 - Info, 3 - Debug.
log_level = 0
#Enter the log file path, this is optional and defaults to /var/log/opc/pam_nss.log
log_file_path = /var/log/opc/pam_nss.log
#Enter the value for proxy usage to connect to IAM. Set the value to 1 to use a proxy and 0 to not use a proxy.
use_proxy=1
#Enter the information below if use_proxy=1
#Enter the proxy url
proxy_url=http://proxy.example.com
#Enter the proxy port
proxy_port=80
#Enter the username to connect to the proxy url.
proxy_username=username_example
#Enter the password of username to connect proxy url.
proxy_pwd=pwd_example
  6. Restart sshd and nscd:
    • authconfig --enablemkhomedir --enablepamaccess --update
    • service sshd restart
    • service nscd restart
Enforcing SELinux
Before you begin:

Check that the following packages are installed on Oracle Linux:

rpm -q selinux-policy-targeted policycoreutils libselinux-utils libselinux-python libselinux

Note

When you change the SELinux mode from Permissive or Disabled to Enforcing, then you must reboot.
Create a policy and ensure that PAM works when SELinux is set to enforcing:
  1. If necessary, install these packages on Oracle Linux: 
    rpm -q selinux-policy-targeted policycoreutils libselinux-utils libselinux-python libselinux
  2. Allow outbound communication on 443: 
    $ sudo setsebool -P nis_enabled 1
++
  3. Create a local policy so that sssd_t can create opc dir to create, and read and write to the pam_nss.log file (which is mentioned in /etc/opc.conf). It doesn't need to be located in a specific location because it is compiled by the SELinux utilities.
    1. Create the policy file: 
      $cat my-sssdbe.te
module my-sssdbe 1.0;
require

{ type sssd_t; type var_log_t; type cert_t; type user_home_dir_t; class file
{ open read write }

;
class dir { create write };
} #============= sssd_t ============== #
!!!! This avc is allowed in the current policy allow sssd_t cert_t:file write;
allow sssd_t user_home_dir_t:dir write;
allow sssd_t var_log_t:dir create;
allow sssd_t var_log_t:file { open read };
  4. Run: 
    $ semodule -i my-sssdbe.pp
  5. Run:
    $ls my-sssdbe.pp my-sssdbe.te
  6. Finally, authenticate the PAM user again.
    The /opc dir and /opc/pam_nss.log file are created.

Configure PAM-enabled Groups and Users

Learn how to create new groups and users with POSIX Viewer role attributes, or add POSIX Viewer role attributes to existing groups and users, to allow end users on Linux to authenticate with IAM using the Linux Pluggable Authentication Module (PAM).

Obtaining an Access Token

Obtain an access token with Identity Domain Administrator or User Administrator privileges. This allows you to create groups and users with POSIX attributes, or add POSIX attributes to existing groups and users.

In the Linux environment, run the following command: 
curl -k -X POST -u "client-id:client-secret" -d 
"grant_type=client_credentials&scope=urn:opc:idm:__myscopes__" 
"https://identity-cloud-service-instance-url/oauth2/v1/token"

where:

  • client-id is the client ID of a confidential application with Identity Domain Administrator or User Administrator privileges
  • client-secret is the client secret of a confidential application with administrative privileges
  • identity-cloud-service-instance-url is your IAM Instance URL
Note

The PAM confidential application client-id and client-secret are used by the PAM client library to create both groups or POSIX groups.

To create a POSIX group, use the following endpoint with an admin access token.
/ui/v1/groups
Creating a Group with POSIX Attributes

Create a group with POSIX attributes.

  1. Create a group.json file with the following request body:

    group.json 

    { "schemas":
[ "urn:ietf:params:scim:schemas:core:2.0:Group",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:Group" ],
"displayName": "posix group",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group": {
"description": "", "creationMechanism": "idcsui" },
"urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:Group": {
"gidNumber": 11010 },
"members": [] }

    where:

    • displayName is set to the name of the group that you wish to create
    • gidNumber must be set to a unique group id (gid) number. Use the getent group command on Linux to see the existing group gid's.
  2. Run the following curl command to create the group: 
    curl -k -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Groups" -d '@group.json'

    where:

    • token-string is the OAuth access token that you obtained
    • identity-cloud-service-instance-url is your IAM Instance URL
    Note

    You can't create a group with POSIX attributes using the Console.
Creating a User with POSIX Attributes and Add to Group

Create a user with POSIX attributes and add the user to the group previously created.

  1. Create a user.json file with the following request body:

    user.json 

    {
"password": "Securepasswd@1",
"userName": "userPosix",
"Name.givenName": "user",
"Name.familyName": "Posix",
"userType": "Employee",
"emails": [
{
"value": "user.posix@example.com",
"type": "work",
"primary": true
},
{
"value": "posix@example.com",
"type": "home"
}
],
"addresses": [
{
"type": "work",
"primary": true,
"streetAddress": "401 Island Parkway",
"locality": "Redwood Shores",
"region": "California",
"postalCode": "94065",
"country": "US",
"formatted": "userPosix"
}
],
"urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User": {
"homeDirectory": "/home/userPosix",
"loginShell": "/bin/bash",
"gecos": "userPosix 24855",
"uidNumber": 12001,
"gidNumber": 11010
},
"meta": {
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User"
]
}

    where:

    • userName is set to the username of the user that you want to create
    • homeDirectory is set to the location of the user's home directory
    • loginShell is set to the default shell
    • gecos is set to general information about the user, for example the user's username and phone number
    • uidNumber must be set to a unique user id (uid) number in Linux. Use the getent passwd command on Linux to see existing users and their uid's
    • gidNumber must be set to the group id (gid) number created previously
  2. Run the following curl command to create the user and add it to the group:

    user.json 

    curl -k -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Users" -d '@user.json'

    where:

    • token-string is the OAuth access token that you obtained
    • identity-cloud-service-instance-url is your IAM Instance URL
    Note

    You can't create a user with POSIX attributes using the Console.

    After the user is created, the user will be sent a notification email to activate their account and set a new password. The user must activate their account before testing authentication in Linux.

Adding POSIX Attributes to Existing Groups

Add POSIX attributes to existing groups.

  1. Create a group_update.json file with the following request body:

    group_update.json 

    {
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "add",
      "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:Group:gidNumber",
      "value": 11020
    }
  ]
}

    where:

    • gidNumber must be set to a unique group id (gid) number. Use the getent group command on Linux to see the existing group gid's.
  2. Run the following curl command to retrieve the group id's: 
    curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Groups"

    where:

    • token-string is the OAuth access token that you obtained
    • identity-cloud-service-instance-url is your IAM Instance URL

    In the response, note the id of the group you want to update with POSIX attributes. For example, in the response below, the Marketing group id is 8c1f45fee6354e20aa9e57079082d6a2:

    .....
	{
      "displayName": "Marketing",
      "idcsLastModifiedBy": {
        "type": "User",
        "value": "f142a5ce639643c2befe8deb0ca5bcec",
        "display": "admin example",
        "$ref": "https://identity-cloud-service-instance-url/admin/v1/Users/f142a5chjky3c2befe8deb0ca5bcec"
      },
      "idcsCreatedBy": {
        "type": "User",
        "display": "admin example",
        "value": "f142a5ce639643c2befe8deb0ca5bcec",
        "$ref": "https://identity-cloud-service-instance-url/admin/v1/Users/f142a5chjky3c2befe8deb0ca5bcec"
      },
      "id": "8c1f45fee6354e20aa9e57079082d6a2",
      "meta": {
        "created": "2019-06-10T13:23:59.451Z",
        "lastModified": "2019-06-10T13:23:59.451Z",
        "resourceType": "Group",
        "location": "https://identity-cloud-service-instance-url/admin/v1/Groups/8c1f45fee6354e20aa9e57079082d6a2"
      },
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
      ]
    },
    .....
  3. Run the following curl command to update the group: 
    curl -k -X PATCH -H "Content-Type: application/json" -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Groups/<id>" -d '@group_update.json'

    where:

    • token-string is the OAuth access token that you obtained
    • identity-cloud-service-instance-url is your IAM Instance URL
    • id is the id for the group that you want to update with POSIX attributes
    Note

    You can't update a group with POSIX attributes using the Console.
Adding POSIX Attributes to Existing Users

Add POSIX attributes to existing users.

Note

In order to add POSIX attributes to an existing user, that user must first be part of a group, and that group must have POSIX attributes.
  1. Create a user_update.json file with the following request body:

    user_update.json 

    {
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "add",
      "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User:homeDirectory",
      "value": "/home/msmith"
    },
    {
      "op": "add",
      "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User:gecos",
      "value": "msmith 25895"
    },
    {
      "op": "add",
      "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User:uidNumber",
      "value": 12002
    },
    {
      "op": "add",
      "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User:gidNumber",
      "value": 11020
    },
    {
      "op": "add",
      "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User:loginShell",
      "value": "/bin/bash"
    }
  ]
}

    where:

    • homeDirectory is set to the location of the user's home directory
    • gecos is set to general information about the user, for example the user's username and phone number
    • uidNumber must be set to a unique user id (uid) number in Linux. Use the getent passwd command on Linux to see existing users and their uid's
    • gidNumber must be set to the group id (gid) number updated previously
    • loginShell is set to the default shell
  2. Run the following curl command to retrieve the user id's: 
    curl -k -X GET -H "Content-Type: application/json" -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Users"

    where:

    • token-string is the OAuth access token that you obtained
    • identity-cloud-service-instance-url is your IAM Instance URL

    In the response, note the id of the user you want to update with POSIX attributes. For example, in the response below, the msmith user id is e5438fce80374d539b8638c289036ecd:

    ....
{
  "idcsCreatedBy": {
        "type": "User",
        "display": "admin example",
        "value": "f142a5ce639643c2befe8deb0ca5bcec",
        "$ref": "https://identity-cloud-service-instance-url/admin/v1/Users/f142a5chjky3c2befe8deb0ca5bcec"
      },
      "id": "e5438fce80374d539b8638c289036ecd",
      "meta": {
        "created": "2019-06-10T13:24:38.184Z",
        "lastModified": "2019-06-10T13:28:50.096Z",
        "resourceType": "User",
        "location": "https://identity-cloud-service-instance-url/admin/v1/Users/e5438fce80374d539b8638c289036ecd"
      },
      "active": true,
      "displayName": "Mark Smith",
...
  3. Run the following curl command to update the user: 
    curl -k -X PATCH -H "Content-Type: application/json" -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Users/<id>" -d '@user_update.json'

    where:

    • token-string is the OAuth access token that you obtained
    • identity-cloud-service-instance-url is your IAM Instance URL
    • id is the id for the user that you want to update with POSIX attributes
    Note

    You can't update a user with POSIX attributes using the Console.
Verifying Endpoints

Verify that you can view users and groups and their POSIX attributes.

  1. Obtain a POSIX access token by running the following curl command: 
    curl -k -X POST -u "client-id:client-secret" -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__" "https://identity-cloud-service-instance-url/oauth2/v1/token"

    where:

    • client-id is the client ID for the POSIX confidential application
    • client-secret is the client secret for the POSIX confidential application
    • identity-cloud-service-instance-url is your IAM Instance URL
  2. Run the following curl command to view users with POSIX attributes: 
    curl -k -X GET -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Users"

    where:

    • token-string is the OAuth POSIX access token that you obtained
    • identity-cloud-service-instance-url is your IAM Instance URL

    An example response is as follows:

    GET HOST/admin/v1/Users 

    {
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 3,
  "Resources": [
    {
      "id": "af79f523f0f8416fb4407ed80a3bdbcb",
      "userName": "userPosix",
      "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User": {
        "homeDirectory": "/home/userPosix",
        "loginShell": "/bin/bash",
        "gidNumber": 12001,
        "gecos": "userPosix 24855",
        "uidNumber": 11010
      }
    },
    {
      "id": "e5438fce80374d539b8638c289036ecd",
      "userName": "msmith",
      "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User": {
        "homeDirectory": "/home/msmith",
        "loginShell": "/bin/bash",
        "gidNumber": 11020,
        "gecos": "msmith 25895",
        "uidNumber": 12002
      }
    },
    {
      "id": "f142a5ce639643c2befe8deb0ca5bcec",
      "userName": "admin@example.com"
    }
  ],
  "startIndex": 1,
  "itemsPerPage": 50
}
  3. Run the following curl command to view groups with POSIX attributes: 
    curl -k -X GET -H "Authorization: Bearer <token-string>" "https://identity-cloud-service-instance-url/admin/v1/Groups"

    where:

    • token-string is the OAuth POSIX access token that you obtained
    • identity-cloud-service-instance-url is your IAM URL

    An example response is as follows:

    GET HOST/admin/v1/Groups 

    
{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 3,
  "Resources": [
    {
      "displayName": "posix group",
      "id": "afb20ea78e84421aaba7009adf212ecf",
      "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:Group": {
        "gidNumber": 11010
      },
      "members": [
        {
          "value": "af79f523f0f8416fb4407ed80a3bdbcb",
          "type": "User",
          "display": "user Posix",
          "name": "userPosix",
          "$ref": "https://identity-cloud-service-instance-url/admin/v1/Users/af79f523f0f8416fb4407ed80a3bdbcb"
        }
      ]
    },
    {
      "displayName": "Marketing",
      "id": "8c1f45fee6354e20aa9e57079082d6a2",
      "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:Group": {
        "gidNumber": 11020
      },
      "members": [
        {
          "value": "e5438fce80374d539b8638c289036ecd",
          "type": "User",
          "display": "Mark Smith",
          "name": "msmith",
          "$ref": "https://identity-cloud-service-instance-url/admin/v1/Users/e5438fce80374d539b8638c289036ecd"
        }
      ]
    },
    {
      "displayName": "All Tenant Users",
      "id": "AllUsersId"
    }
  ],
  "startIndex": 1,
  "itemsPerPage": 50
}
Testing Authentication into Linux Using IAM

Test authentication on Linux using a user in IAM.

Before you begin: Ensure that configured your Confidential Application and that it only contains the following roles:
  • Me
  • POSIX Viewer
  • Signin
Identity Domain Administrator or User Administrator should not be listed. See Configuring a Confidential Application for additional information.
  1. SSH into your Linux environment where the Linux Pluggable Authentication Module (PAM) is installed.
  2. When prompted enter the password for the IAM user:

    For example:

    # ssh userPosix@host.example.com
password:

Last login: Thur Mar 28th 12:14:04 2019 from host.example.com
[userPosix@host ~]$
You should be logged in successfully.
Enabling MFA to Authenticate into Linux

Learn how to set up Multi-Factor Authentication (MFA) so Linux users can authenticate using multiple factors.

  1. Enable the MFA factors for your requirements. See Configuring Multi-Factor Authentication Settings and Configuring Authentication Factors
  2. Create a group for MFA, and add the POSIX Users to this group.
    1. Navigate to Groups > Create group.
    2. Enter the Name of the group.
    3. Search for the POSIX users you want to enable for MFA.
    4. Select the users and click Create.
  3. Create a Sign-On rule.
    1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
    2. Select the identity domain you want to work in and click Security and then Sign-on policies.
    3. Click the Default Sign-On Policy.
    4. Click Add sign-on rule.
    5. Enter a Rule name, and under Conditions in the field Group membership type and select the group that you created above. Under Actions ensure that Allow access and Prompt for an additional factor is checked. Change the Enrollment to Optional and click Add sign-on rule.
      Note

      The only sign on policy that the Linux Pluggable Authentication Module (PAM) supports, is the Default Sign-On Policy.
  4. Move the newly created sign-on rule to the top by clicking the sign-on rule and dragging it to the top of the list. Click Save. This ensures that this rule gets evaluated first so that users belonging to the chosen group are prompted for MFA when they sign in.
  5. Sign in to IAM as a user in the MFA Group, for example via https://identity-cloud-service-instance-url/ui/v1/myconsole
  6. Enroll the user in MFA and select the factors to enroll in.
    Note

    Backup factors aren’t currently supported with the IAM Linux PAM.
  7. After the user is enrolled in MFA, test authentication on Linux:
    1. SSH into your Linux environment where the IAM Linux PAM is installed.
    2. When prompted enter the password for the IAM user.
    3. Enter the second factor with which to authenticate.
    For example, for a user who has configured SMS as their second factor:
    # ssh userPosix@host.example.com
password:
Complete 2-Step Verification

An SMS that contains a passcode was sent to +1XXXXXXX455. Enter the passcode or use the following option, and then press Enter:
r - Resend passcode
Enter the passcode or an option (r):

Last login: Thu Mar 28 16:18:52 2019 from localhost
[userPosix@host ~]$