pam_pgsql 0.5
=============

Introduction
============

This module provides support to authenticate against PostgreSQL
tables for PAM-enabled appliations.

This module is based in part on the FreeBSD pam_unix module, and
the Debian pam_mysql module, but was written from scratch using
the two as a reference.

There is another pam_pgsql module, but the sources appear to have
vanished, hence this module.

Changes since last release
==========================

See the file debian/changelog.

Compilation & Installation
==========================

pam_pgsql is now autoconf'ed, thus, compiling should be a matter
of:

    $ ./configure
    $ make
    $ make install

Compilation has been tested on Debian GNU/Linux and FreeBSD 4.0/5.0

On Debian, you will need the libpam0g-dev, postgresql-dev and libmhash-dev
packages to compile.

On FreeBSD you will have to install the postgresql/postgresql7 port, and
the security/mhash port.

See test.c for an example application that authenticates using
this module.

Configuration
=============

For the service you wish the module to be used, you need
to edit the /etc/pam.d/<service> file or /etc/pam.conf, and 
add the relevant lines.

For example:

auth        required    pam_pgsql.so 
account     required    pam_pgsql.so
password    required    pam_pgsql.so

Configure the database, and table the module should use with
the configuration file /etc/pam_pgsql.conf. An example of
this file:

connectionstring = user=postgres host=127.0.0.1 dbname=pam
getpassword = SELECT password FROM table WHERE username = $1
changepw = UPDATE table SET password = $2 WHERE user = $1
isexpired = SELECT 1 FROM table WHERE user = $1 AND isexpired < NOW()
newpassrequired = SELECT 1 FROM table WHERE user = $1 AND newpass < NOW()
debug

Note that for backwards compatibility with earlier versions, options specified
in the configuration file can be supplied as module arguments as well. Module
arguments will override the configuration file.

Configuration Options
=====================

	connectionstring	- string to connect to postgresql db (using standard connection options)
	getpassword			- SELECT password FROM table WHERE username = $1
						  Query of the form to return the password for a $1 username parameter
	changepw			- UPDATE table SET password = $2 WHERE user = $1
						  Query to update the user password, given a username
	isexpired			- SELECT 1 FROM table WHERE user = $1 AND isexpired < NOW()
						  Query of whether an account has expired or not. >0 rows means it has expired
	newpassrequired		- SELECT 1 FROM table WHERE user = $1 AND newpass < NOW()
						  Query of whether an account needs a new password, >0 rows means a new password is required.
    debug               - this is a standard module option that will enable
                          debug output to syslog (takes no values)
    pw_type             - specifies the password encryption scheme, can be one
                          of 'clear', 'md5', or 'crypt'. defaults to 'clear'.
