________  ________  ________  ________  ________  ________  ________ 
 ╱        ╲╱        ╲╱    ╱   ╲╱        ╲╱    ╱   ╲╱        ╲╱    ╱   ╲
╱        _╱    ╱    ╱         ╱         ╱         ╱    ╱    ╱         ╱
╱       ╱╱        _╱         ╱       --╱╲__      ╱         ╱         ╱ 
╲_____╱╱ ╲____╱___╱╲________╱╲________╱   ╲_____╱╲___╱____╱╲__╱_____╱  

OCI – API Calls and Troubleshooting [Part 5]

Troubleshooting Tips

Azure provisions GIDs to Groups, and UIDs to Users. For authentication to work via the Linux Pam module, the USER object in OCI must have the GID and UID.

            "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User": {
                "gidNumber": 60016,
                "uidNumber": 21782

BUT WAIT! We’re only syncing a UID to user objects in OCI!

  • When OCI detects a user object creation or assignment to a group, it will automatically append the GID value to the user object! But there are caveats…
    • If a user is a member of multiple groups, the first group ID will be assigned (alphabetically) — A user should only be a member of one sync’d group with one GID to avoid confusion
    • The GID value is only appended to user objects on first detection! If an account already exists and is joined to a group before UID/GIDs (for example if you deployed SSO a while ago and haven’t gotten around to PAM yet), adding the UID / GID attributes to already-existing objects will not force OCI to retroactively add GID values to User Objects! — To solve this, you must delete the account(s) from OCI and re-sync through AD Bridge Import. Alternatively, you can delete the group within IDCS and re-sync just the group object(s).

API Calls using Postman

Postman is free to download, has a portable version, and doesn’t require an account with the offline ‘lite’ version. Follow the below steps to make API calls to your OCI tenant for UID/GID troubleshooting purposes.

1. Download and run Postman – The portable version can be found here: https://portapps.io/app/postman-portable/

2. Open a new Tab and click Auth

3. Select OAuth 2.0, populate the fields shown below, and click Get New Access Token

Access Token URL:    https://idcs-<ID>.identity.oraclecloud.com/oauth2/v1/token/
Client ID:           Use the client ID of the Azure AD Provisioning App
Client Secret:       Client Secret of the Azure AD Provisioning App
Scope:               urn:opc:idm:__myscopes__
  • Replace <ID> with the tenant IDCS ID

4. With the authentication token generated, click Use Token

5. In the top bar, select GET, paste one of the following URLs, and click Send

  • Replace <ID> with the tenant IDCS ID
USERS: https://idcs-<ID>.identity.oraclecloud.com/admin/v1/Users?attributeSets=all&count=1000
GROUPS: https://idcs-<ID>.identity.oraclecloud.com/admin/v1/Groups?attributeSets=all&count=1000

6. Scroll through the results and observe GID and UID values as needed

            "urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User": {
                "gidNumber": 60016,
                "uidNumber": 21782