Our environment is a new Exadata X4-2 and we were trying to configure database backups through Oracle Enterprise Manger Cloud Control (OEMCC). This is a standard backup job scheduled / setup through the database management pages in OEMCC, and is not really unique to Exadata. But what we ran into is partial to Exadata and partial to just OEMCC.
As with many large corporations, users and passwords for our environment are stored in LDAP. In general this is transparent to all applications. Well there are a few exceptions, and this really gets into some low level details on how Linux security (specifically PAM in this case) and applications like OEMCC interact.
While setting up the jobs in OEMCC and trying to test the backup using OS credentials we kept receiving invalid password errors. We then worked to verify the password from the OS level, and found that it worked fine. So clearly this was a standard error message, not specific to the real problem.
Thanks to our team we found two specific My Oracle Support (MOS) notes that resolved this issue:
- Error 'incorrect password' reports when run command su after inputting correct password on exadata server (Doc ID 1460921.1)
- How to Configure the Enterprise Management Agent Host Credentials for PAM and LDAP (Doc ID 422073.1)
Both of these changes were made, and then our backup jobs were working fine.
A few notes on the document 422073.1 which is slightly vague on the PAM setup / changes for the OEM Agent. Our systems worked by using the RedHat version of the /etc/pam.d/emagent file such as this:
#%PAM1.0
auth required pam_ldap.so
account required pam_ldap.so
password required pam_ldap.so
session required pam_ldap.so
And the update to the agent commonenv file, we used the lib64 version of the pam library located here: /lib64/libpam.so.0
We did not need to install the pam-devel rpm as the note mentioned, we just used the above libpam.so.0 that was installed with the normal pam rpm.
Another interesting feature of the Oracle eco system.
Gary
No comments:
Post a Comment