Azure Attribute Configuration
The Linux PAM module installed on Linux systems within OCI leverages SSSD to determine access for users and groups. The goal is to present only groups within the configuration and to rely only on AD group membership to grant the access. We don’t want to revisit the configuration every time a user needs added- so groups are the ideal targets.
For this to work, both user and group objects need to have POSIX IDs that can be referenced by the PAM module. If we use custom attributes within Entra ID and sync to OCI, we can ensure the POSIX attributes are standardized across all customers and systems.
The following steps assume a custom attribute has been created, assigned to all on-prem users/groups, and has been added to the Azure Connector application to be sync’d from on-prem to Entra ID for both user and group objects. (Tutorial TBD)
This solution is not officially supported by Azure or OCI, proceed with caution – I am not responsible for any issues or errors that arise from this configuration.
1. Open the Azure Enterprise App and select Provisioning from the menu
2. Click Edit Attribute Mappings
3. Under mappings, select Microsoft Entra ID Groups
4. Scroll to the bottom, check Show advanced options, and select Review your schema here
5. Scroll down to line 2259 (approx) and paste the following
,
{
"anchor": false,
"caseExact": false,
"defaultValue": null,
"flowNullValues": false,
"multivalued": false,
"mutability": "ReadWrite",
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:Group:gidNumber",
"required": false,
"type": "Integer",
"apiExpressions": [],
"metadata": [],
"referencedObjects": []
}
6. Scroll down to line 2640 (approx) and paste the following
,
{
"anchor": false,
"caseExact": false,
"defaultValue": null,
"flowNullValues": false,
"multivalued": false,
"mutability": "ReadWrite",
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User:uidNumber",
"required": false,
"type": "Integer",
"apiExpressions": [],
"metadata": [],
"referencedObjects": []
}
7. Click Save at the top right and then Attribute Mappings in the breadcrumb menu to head back
8. Select Add New Mapping from the bottom of the group attribute page
9. Select linuxGID as the Source attribute, the new Group:gidNumber as Target attribute, and click OK
- If gidNumber is not available, refresh the web browser to refresh the schema that was edited previously
10. Click Save at the top left if all attributes look correct
11. Head back to the provisioning page and select Microsoft Entra ID Users
12. Click Add New Mapping from the bottom of the page
13. Select linuxUID as the Source attribute, the new User:uidNumber as Target attribute, and click OK
- If uidNumber is not available, refresh the web browser to refresh the schema that was edited previously
14. Click Save at the top left if all attributes look correct
