Using LDAP/Centrify with Oracle Grid Control/Enterprise Manager 11g

Posted by on January 26, 2012 Leave a comment (0) Go to comments

The background for this post is found here

We are currently using Oracle Grid Control 11g to monitor and manage most of our production and development Oracle database and application servers.  When posed with the task of doing some tablespace reorganizations, I opted to embrace the GUI and click my way to what is usually a tedious task.  Unfortunately I hit a brick wall when I needed to enter my user credentials for the host system to do some of the OS level tasks.

In an “ideal” world, there is no such thing as identity management and all of your logins are local to the box that you are interested in working on.  Oh, and you have root access.  In reality, most organizations use some sort of tool like Centrify to allow users a single sign-on for Unix/Linux hosts in their mixed environments.  Unfortunately Oracle Enterprise Manager needs a little help to work with non-local logins.

So how do I make my LDAP login work with OEM when administering remote hosts?  Here is a quick and dirty solution (for Centrify)

Oracle Enterprise Manager does support PAM authentication. To enable PAM authentication, create a file called /etc/pam.d/emagent and include the following lines so the authentication for AD users passes through Centrify PAM modules:
#Centrify mod
auth       sufficient     pam_centrifydc.so
auth       requisite      pam_centrifydc.so deny
account    sufficient     pam_centrifydc.so
account    requisite      pam_centrifydc.so deny
session    required       pam_centrifydc.so homedir
password   sufficient     pam_centrifydc.so try_first_pass
password   requisite      pam_centrifydc.so deny

Note: it is important that these lines be at the beginning of the file – before other lines.

Then restart the Oracle EM agent(s) to reload these directives.

References:

Oracle also has a KB article on this, please check their website for the following article:

How to Configure the Grid Control Agent for PAM and LDAP? [ID 422073.1]

Note the metalink (support.oracle.com) note number (422073.1) above.  Log in over there and get the full run down of making this work.  I don’t want to anger the Oracle gods and post all of the details here, so pay your sales rep and get support if you don’t have it.

oracle, , , , , ,

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>