Configure the PAM using SSSD

Configure the Oracle Identity Cloud Service Linux Pluggable Authentication Module (PAM) on Linux using the SSSD service.

Note:

The following prerequisites must be met before proceeding with the configuration.
  • The SSSD service should be installed. If it is not installed, install via sudo yum install sssd.
  • The service must be configured to start when the system reboots. You can perform this configuration via sudo chkconfig sssd on.
  • The property SELINUX must be set as permissive or disabled in file /etc/selinux/config. If it is not set, then set SELINUX=permissive or SELINUX=disabled.
  • Restart Linux to incorporate the above changes.
  1. Verify the /etc/sssd/sssd.conf file exists, has 600 permission, and is owned by the root user. If the file does not exist create it as follows and run chmod 600 /etc/sssd/sssd.conf.

    /etc/sssd/sssd.conf

    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = proxy_proxy
    [nss]
    fallback_homedir = /home/%u
    default_shell = /bin/sh
       
    [pam]
    [domain/proxy_proxy]
    auth_provider =  proxy
    id_provider = proxy
    proxy_lib_name = oracle_cloud
    proxy_pam_target = sssd_proxy_oracle_cloud
    enumerate =  false
    cache_credentials = true
    debug_level = 5
    min_id = 500
  2. Verify the /etc/pam.d/sssd_proxy_oracle_cloud file exists and is owned by the root user. If the file does not exist then create it as the root user and add the following:

    /etc/pam.d/sssd_proxy_oracle_cloud file

    auth          required      pam_oracle_cloud.so
    account       required      pam_oracle_cloud.so
    password      required      pam_oracle_cloud.so
    session       required      pam_oracle_cloud.so
  3. Edit the /etc/pam.d/sshd and add the pam_oracle_cloud module:

    /etc/pam.d/sshd

    auth sufficient pam_oracle_cloud.so
      
    #Note: the above has to be added before the following line:
    auth include password-auth
  4. Edit the /etc/ssh/sshd_config to configure sshd to allow the use of Multi-Factor Authentication:

    /etc/ssh/sshd_config

    #Search for the ChallengeResponseAuthentication property and set it to yes
    ChallengeResponseAuthentication  yes
  5. Edit the /etc/opc.confg to allow the plugin to interact with Oracle Identity Cloud Service:

    /etc/opc.conf

    #This is sample format of opc.conf file, please use the correct information to configure this file.
    #Enter the Oracle Identity Cloud Service tenancy base url.
    base_url = https://identity-cloud-service-instance-url
    #There is no need to change value of scope.
    scope = urn:opc:idm:__myscopes__
    #Enter the location of the wallet.
    wallet_location = /etc/opc-wallet
    #Enter the log level, this is optional and the default is 0, which means no log. 0 - None, 1 - Error, 2 - Info, 3 - Debug.
    log_level = 0
    #Enter the log file path, this is optional and defaults to /var/log/opc/pam_nss.log
    log_file_path = /var/log/opc/pam_nss.log
    #Enter the value for proxy usage to connect to Oracle Identity Cloud Service. Set the value to 1 to use a proxy and 0 to not use a proxy.
    use_proxy=1
    #Enter the information below if use_proxy=1
    #Enter the proxy url
    proxy_url=http://proxy.example.com
    #Enter the proxy port
    proxy_port=80
    #Enter the username to connect to the proxy url.
    proxy_username=username_example
    #Enter the password of username to connect proxy url.
    proxy_pwd=pwd_example
  6. Restart sssd and sshd:
    • authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess --update
    • service sshd restart
    • service sssd restart