[ILUG] MySQL and PAM / NSS
diamond at skynet.ie
Tue Jul 12 17:13:30 IST 2005
Ciaran Johnston wrote:
> Hi folks,
> I'm considering using PAM / NSS along with MySQL for authentication
> purposes (Unix accounts, FTP accounts, email accounts and the like). Has
> anyone used either the pam-mysql or the nss-mysql modules for this purpose
> and would they recommend them? The other option is, of course, LDAP, which
> is probably better suited to the job of authentication, but for what I
> want to do MySQL seems overall a more effective solution.
> So, any suggestions, caveats, etc?
Yes. I've just finished doing something very similar. I'm now using
kerberos for user auth, and nss-mysql for user info. It works very very
well. From my experience, ldap is horribly complex. I tried setting it
up in a test enviroment about 6 months ago, and i eventually managed to
cludge something togther. Using mysql as a backend otoh is really
straight forward, once you're familiar with sql.
The problem with using pam-mysql for auth is that you're limited to
allowing auth only from services that run as root. This was a big
limitation for me, so i switched to using kerberos instead, and now i
can do all auth (including website) against pam. This is a really big
win. If that's not an issue for you, pam-mysql should work fine.
One other issue is that there is no tools for manipulating nss-mysql
(that i found, at least), so i wrote my own. Just finished it yesterday
as it happens ,-) It allows you to add/remove/list users and groups in
nss-mysql. I'm planning to package/publish it fairly shortly. I have
apache, courier-imap, ssh, postfix etc, all working nicely with this setup.
More information about the ILUG