pam_pgsql 0.5
=============

Introduction
============

This module provides support to authenticate against PostgreSQL
tables for PAM-enabled appliations.

This module is based in part on the FreeBSD pam_unix module, and
the Debian pam_mysql module, but was written from scratch using
the two as a reference.

There is another pam_pgsql module, but the sources appear to have
vanished, hence this module.

Changes since last release
==========================

See the file debian/changelog.

Compilation & Installation
==========================

pam_pgsql is now autoconf'ed, thus, compiling should be a matter
of:

    $ ./configure
    $ make
    $ make install

Compilation has been tested on Debian GNU/Linux and FreeBSD 4.0/5.0

On Debian, you will need the libpam0g-dev, postgresql-dev and libmhash-dev
packages to compile.

On FreeBSD you will have to install the postgresql/postgresql7 port, and
the security/mhash port.

See test.c for an example application that authenticates using
this module.

Configuration
=============

For the service you wish the module to be used, you need
to edit the /etc/pam.d/<service> file or /etc/pam.conf, and 
add the relevant lines.

For example:

auth        required    pam_pgsql.so 
account     required    pam_pgsql.so
password    required    pam_pgsql.so

Configure the database, and table the module should use with
the configuration file /etc/pam_pgsql.conf. An example of
this file:

database = sysdb
user = ljb
table = account
user_column = user_name
pwd_column = user_password
expired_column = acc_expired
newtok_column = acc_new_pwreq
debug

Note that for backwards compatibility with earlier versions, options specified
in the configuration file can be supplied as module arguments as well. Module
arguments will override the configuration file.

Configuration Options
=====================

    host                - the name of the host the database server that we
                          are to connect to is running on. If it starts with
                          a /, the connection is made via the unix domain
                          socket in the directory sepcified.
    database            - the database which should be connected to
    table               - the table containing the authentication data
    user                - the username used when connecting to PostgreSQL
    password            - the password for the user specified
    user_column         - the column containing usernames
    pwd_column          - the column containing the passwords
    expired_column      - this column should contain '1' or 'y' if the account
                          has expired
    newtok_column       - this column should contain '1' or 'y' if the user
                          needs to change their password
    debug               - this is a standard module option that will enable
                          debug output to syslog (takes no values)
    pw_type             - specifies the password encryption scheme, can be one
                          of 'clear', 'md5', 'crypt', or 'crypt_md5'. the
                          difference between 'md5' and 'crypt_md5' is that
                          'md5' uses libmhash for hashing while 'crypt_md5'
                          uses crypt() with a special salt to select md5
                          hashing instead of DES. if one of 'crypt' or
                          'crypt_md5' is specified, passwords always are
                          encrypted in the respective format. however,
                          passwords in both formats may be stored in the
                          database, just as with /etc/(passwd|shadow).
                          defaults to 'clear'.
    config_file         - alternative location of configuration file - it
                          should be specified as module argument.
