PAM is authentication, not authorization.
disable the use of libevent's evdns and fall back to a libc-based
implementation.
-PAM authorization
------------------
+PAM authentication
+------------------
-To enable PAM authorization `./configure` has a flag `--with-pam` (default value is no). When compiled with
-PAM support new global authorization type `pam` appears which can be used to validate users through PAM.
+To enable PAM authentication `./configure` has a flag `--with-pam` (default value is no). When compiled with
+PAM support new global authentication type `pam` appears which can be used to validate users through PAM.
Building from Git
-----------------
dnl Find libevent
PKG_CHECK_MODULES(LIBEVENT, libevent)
-dnl Check for PAM authorization support
+dnl Check for PAM authentication support
pam_support=no
AC_ARG_WITH(pam,
AC_HELP_STRING([--with-pam], [build with PAM support]),
#define PGBOUNCER_PAM_SERVICE "pgbouncer"
/*
- * Defines how many authorization requests can be placed to the waiting queue.
+ * Defines how many authentication requests can be placed to the waiting queue.
* When the queue is full calls to pam_auth_begin() will block until there is
* free space in the queue.
*/
client->auth_user = client->db->forced_user;
} else if (cf_auth_type == AUTH_PAM) {
if (client->db->auth_user) {
- slog_error(client, "PAM can't be used together with database authorization");
+ slog_error(client, "PAM can't be used together with database authentication");
disconnect_client(client, true, "bouncer config error");
return false;
}
- /* Password will be set after successful authorization when not in takeover mode */
+ /* Password will be set after successful authentication when not in takeover mode */
client->auth_user = add_pam_user(username, password);
if (!client->auth_user) {
slog_error(client, "set_pool(): failed to allocate new PAM user");
/*
* All PAM users are kept here. We need to differentiate two user
- * lists to avoid user clashing for different authorization types,
+ * lists to avoid user clashing for different authentication types,
* and because pam_user_tree is closer to PgDatabase.user_tree in
* logic.
*/
#include <pthread.h>
#include <security/pam_appl.h>
-/* The request is waiting in the queue or being authorized */
+/* The request is waiting in the queue or being authenticated */
#define PAM_STATUS_IN_PROGRESS 1
-/* The request was successfully authorized */
+/* The request was successfully authenticated */
#define PAM_STATUS_SUCCESS 2
-/* The request failed authorization */
+/* The request failed authentication */
#define PAM_STATUS_FAILED 3
/*
struct pam_auth_request {
- /* The socket we check authorization for */
+ /* The socket we check authentication for */
PgSocket *client;
/* CHECKME: The socket can be closed and reused while the request is waiting
usec_t connect_time;
/* Same as in client->remote_addr.
- * We want to minimize synchronization between the authorization thread and
+ * We want to minimize synchronization between the authentication thread and
* the rest of pgbouncer, so the username and remote_addr are explicitly stored here.
*/
PgAddr remote_addr;
request->status = PAM_STATUS_FAILED;
}
- log_debug("pam_auth_worker(): authorization completed, status=%d", request->status);
+ log_debug("pam_auth_worker(): authentication completed, status=%d", request->status);
}
return NULL;
}
/*
- * Finishes the handshake after successful or unsuccessful authorization.
+ * Finishes the handshake after successful or unsuccessful authentication.
* The function is only called from the main thread.
*/
static void pam_auth_finish(struct pam_auth_request *request)
projects / pgbouncer / commitdiff