Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 0.7Mb
PDF (A4) - 0.7Mb
EPUB - 177.0Kb
HTML Download (TGZ) - 144.5Kb
HTML Download (Zip) - 154.5Kb

Security in MySQL  /  ...  /  The PAM Authentication Plugin

7.1.3 The PAM Authentication Plugin


The PAM authentication plugin is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see

As of MySQL 5.5.16, MySQL Enterprise Edition includes an authentication plugin that enables MySQL Server to use PAM (Pluggable Authentication Modules) to authenticate MySQL users. PAM enables a system to use a standard interface to access various kinds of authentication methods, such as Unix passwords or an LDAP directory.

The PAM authentication plugin provides these capabilities:

  • External authentication: The plugin enables MySQL Server to accept connections from users defined outside the MySQL grant tables and that authenticate using methods supported by PAM.

  • Proxy user support: The plugin can return to MySQL a user name different from the login user, based on the groups the external user is in and the authentication string provided. This means that the plugin can return the MySQL user that defines the privileges the external PAM-authenticated user should have. For example, a PAM user named joe can connect and have the privileges of the MySQL user named developer.

The PAM authentication plugin has been tested on Linux and Mac OS X.

The PAM plugin uses the information passed to it by MySQL Server (such as user name, host name, password, and authentication string), plus whatever method is available for PAM lookup. The plugin checks the user credentials against PAM and returns 'Authentication succeeded, Username is user_name' or 'Authentication failed'.

The following table shows the plugin and library file names. The file name suffix might be different on your system. The file location must be the directory named by the plugin_dir system variable. For installation information, see Section, “Installing the PAM Authentication Plugin”.

Table 7.3 MySQL PAM Authentication Plugin

Server-side plugin nameauthentication_pam
Client-side plugin namemysql_clear_password
Library file

The library file includes only the server-side plugin. As of MySQL 5.5.10, the client-side plugin is built into the libmysqlclient client library. See Section 7.1.5, “The Cleartext Client-Side Authentication Plugin”.

The server-side PAM authentication plugin is included only in MySQL Enterprise Edition. It is not included in MySQL community distributions. The client-side clear-text plugin that communicates with the server-side plugin is built into the MySQL client library and is included in all distributions, including community distributions. This permits clients from any MySQL 5.5.10 or higher distribution to connect to a server that has the server-side plugin loaded.

For general information about pluggable authentication in MySQL, see Section 5.6, “Pluggable Authentication”. For proxy user information, see Section 5.7, “Proxy Users”.

User Comments
Sign Up Login You must be logged in to post a comment.