Enterprise Management Agent Host Credentials for PAM and LDAP

We use LDAP users to install oracle software. In my humble opinion, it’s not a good approach because if the server can not communicate with LDAP service, Oracle gets errors when spawning new processes. We have already started to switch our oracle users from LDAP authentication to local users, but this is not the subject of this blog post. Using LDAP for authentication, also affects Enterprise Manager agents. When I try to create a named credential, EM agent can not verify the user/password, although I used the same user/password information to deploy the agents 🙂

pamerror

Here’s the log generated by the agent:

[164049:8DB30DFF] INFO - >>> Reporting exception:
oracle.sysman.emSDK.agent.client.exception.PerformOperationException: 
ERROR: Invalid username and/or password   
LOG: Local Authentication Failed...Attempt PAM authentication...
PAM failed with error: Authentication failure (request id 1) <<<
oracle.sysman.emSDK.agent.client.exception.PerformOperationException: 
ERROR: Invalid username and/or password   
LOG: Local Authentication Failed...Attempt PAM authentication...
PAM failed with error: Authentication failure

[164049:8DB30DFF] INFO - >>> Reporting exception:

oracle.sysman.emSDK.agent.client.exception.PerformOperationException:

ERROR: Invalid username and/or password

LOG: Local Authentication Failed...Attempt PAM authentication...

PAM failed with error: Authentication failure (request id 1) <<<

oracle.sysman.emSDK.agent.client.exception.PerformOperationException:

ERROR: Invalid username and/or password

LOG: Local Authentication Failed...Attempt PAM authentication...

PAM failed with error: Authentication failure

The solution is well documented on My Oracle Support: How to Configure the Enterprise Management Agent Host Credentials for PAM and LDAP (Doc ID 422073.1)

In short, you need to create a file under /etc/pam.d directory named emagent i.e /etc/pam.d/emagent, and enter the following configuration lines into it:

#%PAM-1.0
auth     required pam_ldap.so
account  required pam_ldap.so
password required pam_ldap.so
session  required pam_ldap.so

#%PAM-1.0

auth required pam_ldap.so

account required pam_ldap.so

password required pam_ldap.so

session required pam_ldap.so

I know that My Oracle Support is the most reliable source, but I decided to go my way! So instead of creating a new file containing the above configuration rules, I copied a working pam.d configuration file (/etc/pam.d/sshd) to “/etc/pam.d/emagent”. After I copied the configuration file, LDAP authentication started to working fine (no agent restart required on “Red Hat Enterprise Linux Server release 5.7 (Tikanga)”.

Please share

5 Comments

Matthew Garrett

April 6, 2015 Reply

Instead of copying, we created a symlink.

ln -s /etc/pam.d/sshd /etc/pam.d/emagent

This worked for RHEL 6.6 (and Oracle Linux 6.6)

# cat /etc/oracle-release
Oracle Linux Server release 6.6
- Srinivas
  
  December 18, 2015
  
  Thanks Gokhan.
  
  Adding those 4 entries in /etc/pam.d/emagent didn’t helped but your workkaround of copying /etc/pam.d/sshd to /etc/pam.d/emagent worked in my case.
Neha Agarwal

December 23, 2016 Reply

Thanks for the workaround . cp /etc/pam.d/sshd /etc/pam.d/emagent works for me .
I am also facing the similar issue oracle.sysman.emSDK.agent.client.exception.PerformOperationException:
ERROR: Invalid username and/or password (request id 1) <<< for the OMA installed into the windows machine . Do you know how to resolve the same issue in windows machine.
Aamir Haroon

July 18, 2017 Reply

Thanks for the post. cp /etc/pam.d/sshd /etc/pam.d/emagent worked.
PRABHU RANGANATHAN

April 21, 2020 Reply

ln -s /etc/pam.d/sshd /etc/pam.d/emagent…

Thanks for the solution.

Leave Comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.