My Oracle Support Banner

How to Configure the Enterprise Management Agent Host Credentials for PAM and LDAP (Doc ID 422073.1)

Last updated on JUNE 16, 2020

Applies to:

Enterprise Manager Base Platform - Version and later
Generic Linux
Generic UNIX


This note explains how to configure the Enterprise Manager Agent with Pluggable Authentication Module (PAM) and LDAP for authentication of OS users in Unix / Linux Operating Systems.  This authentication is used in a number of different ways like 1) Use of the job system, 2) User-defined metrics, etc.

On most unix-like operating systems, there are two ways of validating the password for an OS user: 1) traditional unix authentication and 2) PAM authentication.

In traditional unix authentication, the submitted password is compared with a hashed version stored in /etc/password, in other related OS files, or in other stores as specified in /etc/nsswitch.conf.

PAM authentication is a more flexible mechanism, where administrators can configure, on an application-specific basis, a number of libraries to authenticate users against different backing stores. This allows new authentication services to be added to a system dynamically, and allows host administrators to combine authentication services in more nuanced ways than traditional unix authentication allows.

In EM 10.1, 10.2., and 11.1 agents, traditional unix authentication is always preferred to PAM authentication. When presented with a username and password, the agent always first attempts traditional authentication. Only if that traditional authentication attempt fails (because the username is not found in the password file or map, or because the password does not match the one stored in the file or map) will the agent attempt PAM authentication. (As a result, if a username is defined in both the traditional password map and by an alternative PAM authentication service, and has different passwords in each, the agent will accept *either* password for this user.)

Note: The local password file (usually /etc/passwd) will always be used and checked first. As such you need to make sure this is synchronized with the LDAP password if this is being used.

Only in case of a failure, will the EM Agent switch to the defined external authentication module.

The EM 12.1.0.x agent follows this same behavior if the host administrator has not created a PAM service called "emagent". (PAM may still be used if this service does not exist, since PAM defines a wildcard service-name "other".) But if the "emagent" PAM service does exist, then *only* PAM authentication will be attempted. If the PAM service modules specified in the "emagent" service do not accept the submitted password, then authentication will fail, even if the submitted password does match one in the traditional password file or map.


This article is intended for Enterprise Manager (Grid Control and/or Cloud Control) Administrators.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Configure the Agent for PAM
 Useful Documentation

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.