[ILUG] MySQL and PAM / NSS

[Stephen Shirley]

Ciaran Johnston wrote:
> Hi folks,
> I'm considering using PAM / NSS along with MySQL for authentication
> purposes (Unix accounts, FTP accounts, email accounts and the like). Has
> anyone used either the pam-mysql or the nss-mysql modules for this purpose
> and would they recommend them? The other option is, of course, LDAP, which
> is probably better suited to the job of authentication, but for what I
> want to do MySQL seems overall a more effective solution.
> 
> So, any suggestions, caveats, etc?

Yes. I've just finished doing something very similar. I'm now using 
kerberos for user auth, and nss-mysql for user info. It works very very 
well. From my experience, ldap is horribly complex. I tried setting it 
up in a test enviroment about 6 months ago, and i eventually managed to 
cludge something togther. Using mysql as a backend otoh is really 
straight forward, once you're familiar with sql.

The problem with using pam-mysql for auth is that you're limited to 
allowing auth only from services that run as root. This was a big 
limitation for me, so i switched to using kerberos instead, and now i 
can do all auth (including website) against pam. This is a really big 
win. If that's not an issue for you, pam-mysql should work fine.

One other issue is that there is no tools for manipulating nss-mysql 
(that i found, at least), so i wrote my own. Just finished it yesterday 
as it happens ,-) It allows you to add/remove/list users and groups in 
nss-mysql. I'm planning to package/publish it fairly shortly. I have 
apache, courier-imap, ssh, postfix etc, all working nicely with this setup.

Steve