Announcing PAM authentication plugin for MySQL (early access release)


We are pleased to announce availability of an early access version of Percona’s PAM Authentication plugin for MySQL. This plugin supports MySQL-5.5.x, Percona Server 5.5.x and MariaDB 5.2.x. The PAM Authentication plugin can be used for:

  • MySQL authentication using operating system users (pam_unix)
  • MySQL authentication from LDAP server (pam_ldap)
  • authentication against RSA SecurID server
  • any other authentication methods that provides access via PAM

We name it early access as it does not yet have the full list of features we want to implement. It is currently functional and we want to make it available for everybody. In this version you still need to create individual users in MySQL (even though they will be authenticated via PAM), in the final (non-early access) version this restriction will be removed. Percona PAM Authentication Plugin for MySQL as always, is fully open source, free of charge and can be used on an unlimited amount of servers. Resources:


Share this post

Comments (9)

  • Sean Davidson Reply


    Between the audit plug-in interface, and your PAM authentication plug-in (hopefully implementing the proxy users authentication plug-in feature), real role-based access, best-practices password controls, and access non-repudiation can be a reality. To me, this means MySQL can finally be deployed in a PCI environment without lots of hacks, workarounds, and other controls gymnastics to satisfy governance requirements (and PCI auditors 🙂 ).

    Now if Monty’s group can get caught up to 5.6; we use MyISAM extensively for simple but huge KV stores, and love virtual (indexable) columns, segmented key cache, and other MariaDB goodies, but really need to start leveraging 5.6 features such as the Partition enhancements (we can finally ditch merge tables), Multi-threaded slaves (!!! A huge pain point for us), Diff-based RBR, Replication Checksums, lots of additional instrumentation, etc.

    Then, those combined with figuring out how to use Gearman to leverage Java plug-ins/UDFs, and we’ll be able to stop eyeing PostgreSQL’s feature set with frustrated envy, and enjoy the rocking performance and flexibility of the MySQL platform.

    [Please no flaming – PostgreSQL rocks in its own right, but we have an investment in the MySQL platform that I would appreciate being able to continue to leverage for enterprise workflows and loads.]

    December 5, 2011 at 12:19 pm
  • Tim Vaillancourt Reply

    This is a very useful addition I never thought of! Nice work to all involved. It reminds me of some of the unix auth in postgres.



    December 5, 2011 at 4:13 pm
  • Raghavendra Reply

    Quite useful. The most utility I guess comes from “any other authentication methods that provides access via PAM” .. PAM gives you the freedom to stack authentication/authorization methods (including ldap, rsa and unix) to the choice of user/customer.

    December 6, 2011 at 1:17 am
  • scetbon Reply

    Is there a way to use it with MySQL 5.1 ?

    September 25, 2012 at 2:49 am
  • Laurynas Biveinis Reply

    The PAM plugin depends on the MySQL pluggable authentication feature, which is only available starting with 5.5.

    September 26, 2012 at 12:33 am
  • St Reply

    Is this PAM compatible with all MySQL/Oracle CLI? As in the beginning there were some limitations.

    January 30, 2013 at 12:16 pm
  • Laurynas Biveinis Reply

    St –

    If one uses the “auth_pam_compat” plugin, then it uses the stock Oracle “mysql_clear_password” plugin instead of “dialog” plugin used by the full-feature version. As “mysql_clear_password” is a default plugin distributed in Oracle MySQL, it provides the CLI compatibility.

    January 31, 2013 at 5:08 am
  • Scott S Reply

    Does anyone know the timing of the final release and whether it’ll be compatible with the 5.6?

    March 1, 2013 at 1:32 pm
  • Vadim Tkachenko Reply


    Final releases are shipped with Percona Server,
    it is available in our latest releases.

    We will ship PAM with Percona Server 5.6 too.

    March 1, 2013 at 2:17 pm

Leave a Reply