login -------\								/---- RDBMS
					\							 /
apache ---------\	  ===========	 /------ LDAP
					  \	 =			=	/
	ssh ---------------=	PAM	=----------- passwd files
					  /	 =			=	\
passwd ---------/	  ===========	 \------ RADIUS
					/			  |			 \
etc... -------/				|			  \---- etc...
								 -----
								 |	|
								 |	| PAM config files (/etc/pam.d/*)
								 |- _|

In a nutshell, any program that wants to see if you can log in can call the PAM library which will then look at the config files to see which modules to call to do the processing. You can even "stack" the modules, i.e. require that more than one of them succeed.

In one rather extreme case I used the Apache PAM authentication module to call the PAM LDAP module so that Apache could decide whether to allow each person to view a page.

The config file /etc/pam.d/httpd looked like this:

auth	 sufficient		pam_ldap.so
#auth		 required	  pam_unix.so

#account	 required	  pam_unix.so
account	 required	  pam_ldap.so

One mistake I made was having no account directive the first time I tried it. It's important to have the auth and account directives use the same module.

Note that libapache-mod-auth-pam is greedy in that once it's loaded it wants to do all of the authentication. It took me a while to figure this out - if you don't want to use it you need to shut it off explicitly on a per-directory basis.

I found that most of the PAM modules were pretty half-baked so debugging is hard if you don't have the source. OTOH we're only talking about a few hundred lines of code so it's not too hard to find your way around.

references

The PAM home page appears to be: http://www.kernel.org/pub/linux/libs/pam/

The PAM/LDAP home page appears to be: http://www.padl.com/pam_ldap.html

-- TobyCabot - 22 Jan 2001