====== Pluggable Authentication Modules (PAM) support ======

In order to get jabberd authenticate users via PAM you need to ''./configure --enable-pam'' and configure PAM section in c2s.xml.

Jabberd uses ''/etc/pam.d/jabberd'' service with PAM authentication backend.

If you do authentication via ''/etc/shadow'' passwords, c2s **needs to run as root** to get access to shadow file. If you do not want that, you may alternatively use ''./configure --enable-pipe'' with [[http://search.cpan.org/CPAN/authors/id/N/NJ/NJH/jabberd-authpipe-pam-0.1.pl|jabberd-authpipe-pam.pl]] script running as root.

Most PAM mechanizms store passwords in hashed format, so c2s **needs to get plaintext passwords** from users, to recreate the hash for comparison. You need to disable all non plain auth mechanizms in c2s.xml, leaving only <plain/> in traditional and SASL sections.

===== Checklist =====
  - ''--enable-pam'' + c2s running as root
  - ''--enable-pipe'' + jabberd-authpipe-pam.pl running as root
  - only <plain/> authentication enabled in c2s.xml
  - proper PAM modules configured in ''/etc/pam.d/jabberd''

===== Realm =====

''c2s.local.id'' attribute //realm// is used to configure how jabberd creates usernames for PAM authentication
<code xml>
<id realm='some.org'>localhost</id>
</code>

  * no realm defined - the domainname is attached to username, resulting: ''username@localhost''
  * realm defined - the realm is attached to username, resulting: ''username@some.org''
  * empty realm "" defined - nothing is attached tu username, resulting: ''username''