ticket 181 - Allow PAM passthru plug-in to have multiple config entries
Previously, the PAM passthru plug-in only allowed a single configuration
to be in place. The only config entry was the top-level PAM plug-in
entry in cn=config.
This patch allows multiple PAM passthru configuration entries to be
specified. This gives the ability to have much more flexibility
when passing authentication to PAM. You can do things like use
different PAM server files for different portions of the DIT, or
even different mapping methods and security requirements.
To allow even more flexibility, I added support for a new pamFilter
configuration attribute. This allows an LDAP filter to be used to
determine which entries a PAM passthru configuration should apply
to. This allows a flat DIT to have different PAM passthru config
based off of the contents of the entries, such as using the objectclass
value.
Lastly, I added the ability to use an alternate plug-in configuration
area for PAM passthru config entries. This allows one to store the
config entries in a replicated tree instead of cn=config. When using
the alternate config area, only the child entries of the alternate
config container are considered to be PAM passthru config entries.
When the normal area in cn=config is used, both the top-level PAM
passthru plug-in config entry and it's children are considered to
be config entries. This ensures that the existing config style is
backwards compatible. Using an alternate config area meant getting
rid of the DSE style config callbacks and implementing normal pre-op
and post-op callback for dynamic config validation and loading.