pam_userdb

pam_userdb.so [db=database_path] [uidfield=uid_field] [gidfield=gid_field] [user_filter=filter_expression] [group_filter=filter_expression] [debug]

db=database_path
    Specifies the path to the user database file. If not specified, the module defaults to /etc/userdb. It's crucial to specify this to point to your desired database file.

uidfield=uid_field
    Specifies the field in the database that contains the user ID. Defaults to 'uidNumber'.

gidfield=gid_field
    Specifies the field in the database that contains the user's primary group ID. Defaults to 'gidNumber'.

user_filter=filter_expression
    Specifies a filter expression to apply when searching for users in the database. This is useful for limiting the users that the module can authenticate.

group_filter=filter_expression
    Specifies a filter expression to apply when searching for groups in the database. This is useful for limiting the groups that the module can authenticate.

debug
    Enables debug logging for the module. This can be helpful for troubleshooting authentication issues.

The pam_userdb PAM module provides authentication, account management, and password management based on a user database, typically in db or dbm format. It allows system administrators to store user credentials in a database file instead of the traditional /etc/passwd and /etc/shadow files. This approach is useful for managing a large number of users or when integrating with existing database systems. The module reads user and group information from the specified database and uses it to authenticate users, check account expiration, and update passwords.

pam_userdb authenticates against a local database, and can therefore not be used to authenticate to remote databases such as LDAP. It differs from pam_ldap in that it only authenticates against flat files and databases.

It uses the Berkeley DB database format. Note, that userdb can be used in conjunction with other PAM modules, so that the authentication may come from the db, but the account and session handling could be from files.

The database format used by pam_userdb can be fragile. Incorrect configuration or database corruption can lead to authentication failures. Proper backups and testing are recommended. Also ensure correct permissions on the database file for security.

To use pam_userdb, you would add entries to your PAM configuration files (e.g., /etc/pam.d/login, /etc/pam.d/sshd). For example:

auth required pam_userdb.so db=/path/to/your/userdb
account required pam_userdb.so db=/path/to/your/userdb

This configures pam_userdb to handle authentication and account management using the user database specified by the db option.

pam_userdb relies on a database typically created using utilities like db_load. The format of the database needs to match what pam_userdb expects, including attributes like uidNumber, gidNumber, and userPassword.

pam.conf(5), db_load(1), pam_unix(8)