In the quest to secure MySQL as well as ease the number of complicated passwords to remember, many organizations are looking into external authentication, especially using LDAP. For free and open source, Percona’s PAM authentication plugin is the standard option.

tl;dr is I go through how to compile php-cli for use with auth_pam plugin.

Background
There are two plugins that can be used. From the documentation, the two plugins are:

• Full PAM plugin called auth_pam. This plugin uses dialog.so. It fully supports the PAM protocol with arbitrary communication between client and server.
• Oracle-compatible PAM called auth_pam_compat. …

In this blog, we’ll look at how to setup and troubleshoot the Percona PAM authentication plugin.

We occasionally get requests from our support clients on how to get Percona Server for MySQL to authenticate with an external authentication service via LDAP or Active Directory. However, we normally do not have access to client’s infrastructure to help troubleshoot these cases. To help them effectively, we need to setup a testbed to reproduce their issues and guide them on how to get authentication to work. Fortunately, we only need to install Samba to provide an external authentication service for both LDAP and AD.

In this article, I will show you how to (a) compile and install Samba, (b) create a domain environment with Samba, (c) add users and groups to this domain and (d) get Percona Server …

The procedure for using the PAM authentication plugin as documented doesn't work flawlessly on Ubuntu.

So here is how it works on Ubuntu (and probably also on other Debian based systems).

Please note that the PAM authentication plugin is an enterprise feature.

1. Make sure the plugin is loaded

This can be done by adding the following to the mysqld section of my.cnf (Don't forget to restart). You could also use INSTALL PLUGIN to load it without restart.

plugin-load=authentication_pam.so

2.  Add a user which will use the plugin

mysql> CREATE USER 'dveeden'@'localhost' IDENTIFIED WITH authentication_pam;
Query OK, 0 rows affected (0.00 sec)

3. Add a pam config file for 'mysql':
Create /etc/pam.d/mysql with the following …

We have lately been talking about some upcoming features that we feel are important to MariaDB users, because the corresponding ones that will be provided with MySQL will be incompatible with MariaDB and closed source.

We’re happy to announce the following:

• The next version of MariaDB, version 5.2.10 will include an open source PAM Authentication Plugin. MariaDB 5.2.10 is scheduled for release next week.
• A Windows Authentication Plugin is in development and QA currently and will be part of MariaDB 5.2.11, which is scheduled for release before Christmas.
• MariaDB 5.5 will include both of the above plugins and an open source thread pool implementation. The soon-to-be-launched first version however will not include the thread pool.

Stay tuned for more information as soon as we start …

You probably remember the world of new possibilities introduced to MySQL 5.5. If you do, you probably would agree that no API is useful by itself.

This is why you need authentication plugins that fit the largest possible number of authentication setups.

I can only guess what these authentication solutions look like for your server. But chances are that your OS has a pretty good idea on how best to authenticate users in it. This is why we've decided to hook MySQL to the two most widely used OS authentication APIs : Pluggable Authentication Modules (a.k.a PAM) and the Windows Security Support Provider Interface

Let's …

You probably remember the world of new possibilities introduced to MySQL 5.5. If you do, you probably would agree that no API is useful by itself.

This is why you need authentication plugins that fit the largest possible number of authentication setups.

I can only guess what these authentication solutions look like for your server. But chances are that your OS has a pretty good idea on how best to authenticate users in it. This is why we've decided to hook MySQL to the two most widely used OS authentication APIs : Pluggable Authentication Modules (a.k.a PAM) and the Windows Security Support Provider Interface

Let's …