The PAM authentication plugin is a commercial extension. To learn more about commercial products (MySQL Enterprise Edition), see http://www.mysql.com/products/.
As of MySQL 5.6.10, commercial distributions of MySQL include an authentication plugin that enables MySQL Server to use PAM (Pluggable Authentication Modules) to authenticate MySQL users. PAM enables a system to use a standard interface to access various kinds of authentication methods, such as Unix passwords or an LDAP directory.
The PAM plugin uses the information passed to it by MySQL Server
(such as user name, host name, password, and authentication
string), plus whatever method is available for PAM lookup. The
plugin checks the user credentials against PAM and returns
'Authentication succeeded, Username is
The PAM authentication plugin provides these capabilities:
External authentication: The plugin enables MySQL Server to accept connections from users defined outside the MySQL grant tables.
Proxy user support: The plugin can return to MySQL a user
name different from the login user, based on the groups the
external user is in and the authentication string provided.
This means that the plugin can return the MySQL user that
defines the privileges the external PAM-authenticated user
should have. For example, a PAM user named
joe can connect and have the privileges
of the MySQL user named
The following table shows the plugin and library file names. The
file name suffix might be different on your system. The file
location must be the directory named by the
plugin_dir system variable. For
installation information, see
Section 18.104.22.168, “Installing the PAM Authentication Plugin”.
Table 5.4 MySQL PAM Authentication Plugin
|Server-side plugin name|
|Client-side plugin name|
|Library object file name|
The library file includes only the server-side plugin. The
client-side plugin is built into the
libmysqlclient client library. See
Section 5.8.7, “The Cleartext Client-Side Authentication Plugin”.
The server-side PAM authentication plugin is included only in commercial distributions. It is not included in MySQL community distributions. The client-side clear-text plugin that communicates with the server-side plugin is built into the MySQL client library and is included in all distributions, including community distributions. This permits clients from any 5.6.10 or newer distribution to connect to a server that has the server-side plugin loaded.
The PAM authentication plugin has been tested on Linux and Mac OS X. It requires MySQL Server 5.6.10 or newer.