Buy Percona ServicesBuy Now!

Announcing PAM authentication plugin for MySQL (early access release)

 | December 5, 2011 |  Posted In: MySQL, Percona Software


We are pleased to announce availability of an early access version of Percona’s PAM Authentication plugin for MySQL. This plugin supports MySQL-5.5.x, Percona Server 5.5.x and MariaDB 5.2.x. The PAM Authentication plugin can be used for:

  • MySQL authentication using operating system users (pam_unix)
  • MySQL authentication from LDAP server (pam_ldap)
  • authentication against RSA SecurID server
  • any other authentication methods that provides access via PAM

We name it early access as it does not yet have the full list of features we want to implement. It is currently functional and we want to make it available for everybody. In this version you still need to create individual users in MySQL (even though they will be authenticated via PAM), in the final (non-early access) version this restriction will be removed. Percona PAM Authentication Plugin for MySQL as always, is fully open source, free of charge and can be used on an unlimited amount of servers. Resources:

Vadim Tkachenko

Vadim Tkachenko co-founded Percona in 2006 and serves as its Chief Technology Officer. Vadim leads Percona Labs, which focuses on technology research and performance evaluations of Percona’s and third-party products. Percona Labs designs no-gimmick tests of hardware, filesystems, storage engines, and databases that surpass the standard performance and functionality scenario benchmarks. Vadim’s expertise in LAMP performance and multi-threaded programming help optimize MySQL and InnoDB internals to take full advantage of modern hardware. Oracle Corporation and its predecessors have incorporated Vadim’s source code patches into the mainstream MySQL and InnoDB products. He also co-authored the book High Performance MySQL: Optimization, Backups, and Replication 3rd Edition.


  • Alleluia!

    Between the audit plug-in interface, and your PAM authentication plug-in (hopefully implementing the proxy users authentication plug-in feature), real role-based access, best-practices password controls, and access non-repudiation can be a reality. To me, this means MySQL can finally be deployed in a PCI environment without lots of hacks, workarounds, and other controls gymnastics to satisfy governance requirements (and PCI auditors 🙂 ).

    Now if Monty’s group can get caught up to 5.6; we use MyISAM extensively for simple but huge KV stores, and love virtual (indexable) columns, segmented key cache, and other MariaDB goodies, but really need to start leveraging 5.6 features such as the Partition enhancements (we can finally ditch merge tables), Multi-threaded slaves (!!! A huge pain point for us), Diff-based RBR, Replication Checksums, lots of additional instrumentation, etc.

    Then, those combined with figuring out how to use Gearman to leverage Java plug-ins/UDFs, and we’ll be able to stop eyeing PostgreSQL’s feature set with frustrated envy, and enjoy the rocking performance and flexibility of the MySQL platform.

    [Please no flaming – PostgreSQL rocks in its own right, but we have an investment in the MySQL platform that I would appreciate being able to continue to leverage for enterprise workflows and loads.]

  • Quite useful. The most utility I guess comes from “any other authentication methods that provides access via PAM” .. PAM gives you the freedom to stack authentication/authorization methods (including ldap, rsa and unix) to the choice of user/customer.

  • St –

    If one uses the “auth_pam_compat” plugin, then it uses the stock Oracle “mysql_clear_password” plugin instead of “dialog” plugin used by the full-feature version. As “mysql_clear_password” is a default plugin distributed in Oracle MySQL, it provides the CLI compatibility.

Leave a Reply