Configure the Linux-PAM using NSCD

Configure the Oracle Identity Cloud Service Linux Pluggable Authentication Module (PAM) on Linux using the NSCD service.


The following prerequisites must be met before proceeding with the configuration.
  • The NSCD service should be installed. If it is not installed, install via sudo yum install nscd.
  • The service must be configured to start when the system reboots. You can perform this configuration via sudo chkconfig nscd on.
  • The property SELINUX must be set as permissive or disabled in file /etc/selinux/config. If it is not set, then set SELINUX=permissive or SELINUX=disabled.
  • Restart Linux to incorporate the above changes.
  1. Edit the /etc/nsswitch.conf and add oracle_cloud as follows:


    passwd:     files oracle_cloud
    group:      files oracle_cloud
  2. Edit the /etc/nscd.conf and enable caching in the nscd service:


    enable-cache        passwd      yes
    enable-cache        group       yes
  3. Edit the /etc/pam.d/sshd and add the pam_oracle_cloud module:


    auth sufficient
    #Note: the above has to be added before the following line:
    auth include password-auth
  4. Edit the /etc/ssh/sshd_config to configure sshd to allow the use of Multi-Factor Authentication:


    #Search for the ChallengeResponseAuthentication property and set it to yes
    ChallengeResponseAuthentication  yes
  5. Edit the /etc/opc.confg to allow the plugin to interact with Oracle Identity Cloud Service:


    #This is sample format of opc.conf file, please use the correct information to configure this file.
    #Enter the Oracle Identity Cloud Service tenancy base url.
    base_url = https://identity-cloud-service-instance-url
    #There is no need to change value of scope.
    scope = urn:opc:idm:__myscopes__
    #Enter the location of the wallet.
    wallet_location = /etc/opc-wallet
    #Enter the log level, this is optional and the default is 0, which means no log. 0 - None, 1 - Error, 2 - Info, 3 - Debug.
    log_level = 0
    #Enter the log file path, this is optional and defaults to /var/log/opc/pam_nss.log
    log_file_path = /var/log/opc/pam_nss.log
    #Enter the value for proxy usage to connect to Oracle Identity Cloud Service. Set the value to 1 to use a proxy and 0 to not use a proxy.
    #Enter the information below if use_proxy=1
    #Enter the proxy url
    #Enter the proxy port
    #Enter the username to connect to the proxy url.
    #Enter the password of username to connect proxy url.
  6. Restart sshd and nscd:
    • authconfig --enablemkhomedir --enablepamaccess --update
    • service sshd restart
    • service nscd restart