LDAP in the Solaris Operating Environment[c] Deploying Secure Directory Services
This section describes the PAM application programming interface (API) and the PAM service provider interface (SPI). Also included are procedures on how to effectively write PAM modules when using the Solaris 9 OE. Before we discuss the PAM API and SPI, let us take a brief look at the PAM components :
By writing these PAM service modules, it is possible to extend the capability of the Solaris 9 OE authentication mechanisms in a number of different ways. The PAM interface in the Solaris 9 OE provides a set of APIs that can be used by third-party applications to extend authentication capabilities. By using the PAM layer, applications authenticate to the system without worrying about what authentication method has been chosen by the system administrator for any given client. For example, it is possible for a system administrator to prevent users from choosing new passwords that resemble their old password. A PAM module is a shared object that is developed and written using the C programming language. The module is dynamically selected based on the contents of the pam.conf(4) configuration file. This is an extremely efficient mechanism that enables the selection of the most appropriate authentication mechanism for a particular environmentwithout sacrificing functionality or the need to depend on third-party or unsupported software. Developing a PAM module is not as difficult as you might think. The PAM API has a rich set of features, and is fairly intuitive to learn and use. Online documentation is also available (see http://docs.sun.com). This section addresses the following topics:
|