New PAM Authentication Extension


First, thank you all for writing XWiki. I settled on it after a somewhat exhaustive search, and it (so far) seems like the best overall solution.

I wrote a password authentication module (PAM) bridge from UNIX/Linux systems to XWiki. This module was inspired by, modeled and written after the LDAP module. The use case and mechanism is very similar.

The motivation for this module addresses the need for systems that have a particular PAM configuration and want to use it to authenticate users. This was written because the LDAP module did not consistently function as described in this thread, and I had the same experience with m0nty where I’d see connection peer resets by the LDAP server:

For those that use the LDAP NSS module, which both authenticate users on the OS itself, using this module allows authentication to XWiki to LDAP via this software.

I have written two project: the first as a general library outside the context of XWiki for others, which uses pwauth to do the PAM authentication. This tool is commonly available on UNIX/Linux machines as a package.

The second package is written as an extension that was heavily borrowed and stolen from the LDAP extension. I tried to get the process and flow as closely as possible to the LDAP module. However, I did cut user and group mapping to simplify it.

Hopefully you won’t say I’ve reinvented the wheel as I looked around quiet a bit and couldn’t find anything similar. Please take a look, and if you want, I’ll push these as jars to Maven Central. I’m also willing to make modifications to make it (more) compat, although I can’t say I have copious amounts to time to make big changes.

Note that I am currently on 10.11.10 as version 11 was not stable for me (perhaps JDK 11 was the issue as I’ve read).

Hope this is useful.

Regards, Paul Landes

1 Like

Great contribution ! Would be nice to release and expose it on for people to find and install it easily :wink:

I see your configured it to be released on Maven central but AFAIK Maven central is not a big fan of dependencies not located on Maven central themsel (which is the case of all the org.xwiki.platform and or.xwiki.contrib stuff). You can take a look at if you want to release it on XWiki Maven repository.

Can’t think of anything either.

I deployed only the first dependency to Maven central because it can be used by other clients other than XWiki. However, I haven’t done anything with the PAM XWiki glue jar because I wanted to ask you guys what works best. Sounds like making it an extension is the way to go–but since I was able to drop it in as a jar in the tomcat lib directory so it seems to be already be an extension.

If you can tell me more specifically what needs to be done, even if it’s to just add the glue code to the XWiki repository, I’ll do that. In that case, once we do that, if maven central complains I’ll deploy the pwauth interaction code to XWiki’s repo as well. That said, I have other stuff on Maven central that are used across other projects and I haven’t gotten any heat.


Extensions don’t really have anything special technically, it’s just about exposing them so that Extension Manager find them. Right now the search is only supported with repository and others XWiki format repositories (Extension Manager can install stuff located on any Maven repository but you have to indicate the id and version explicitly).

Technically all it takes to be found is a page on with some metadata. The simplest way is to import an extension already deployed somewhere on (either on XWiki own Maven repository with most other XWiki extensions or any other repository proxied by which include Maven central so where you actually deploy it is your choice).

Hi Paul, this is great!

For creating an extension, you can check this or even this wiki:

Thanks @tmortagne and @vmassol. I have taken a look and it this process doesn’t look easy :). Looks like the POM will have to be formatted differently, I’ll have to be added and post to the developers list asking for Nexus access (done), and finally fiddle with JIRA.

I have asked in the Nexus request if there are others that can do it for more or at least more specifically guide me through this process. As mentioned, I don’t have too much time, but I am willing to spend time and give back to this awesome project.

Note that I’ve just modified which was referring to the old dev mailing list. We’ve replaced that with a forum now.

As I said in a previous message all it takes technically to have your extension searchable in Extension Manager is to import it from or Maven central in (in “Contribute Extension…” box). You can even create a wiki page and put the right objects and attachments by hand when you don’t have a Maven repository but it’s a bit tedious and error prone.

The reason that process (and I) recommand to have a repository on and a jira project is to make much easier for others to contribute to it and report issues/suggestions (link with other issues on XWiki jira, etc.). It really doesn’t take that much time (you can take a look at the LDAP authenticator pom for inspiration). There is nothing to do to make it an extension, it’s mostly standard release stuff (configuring where it’s deployed, the id of it’s jira project, the authors, etc.) which you already have but for Maven Central but having repositories listed in pom is usually not recommended for Maven in general since the target repository could go down, etc. The best is probably that you pass by the Riot chat when you have time so we can help you in a more realtime fashion :slight_smile: It would totally have time to do that myself but I feel that it would be better that you understand that process better if you plan to maintain your extension.

If you want to move you repository to xwiki-contrib (for it to be part of the community and easily found for contributors) you will need to make one of us owner so we can do the move. Would not make much sense to create a new one from scratch.
Re the naming, the repositories which only contain an authenticator on are usually prefixed with “authenticator-” (and I would use “PAM Authentiator” as <name> I think).

Great. I did take a look at the nexus site, but for that I believe I need a login.

Re chat: let’s do that. I did see something about IRC, but I assumed that was out of date. I haven’t used IRC in about 20 years.

IRC is still valid and working well :slight_smile:

But we also have a Matrix chat (bridged to IRC), see


You can use the IRC bridge if you insist but I don’t recommend it :slight_smile:

Yep that’s part of the things to ask for in the very official message :slight_smile:

OK Thanks all. I am have registered a matrix account on Riot and am on now. I have specifically asked for the Nexus account and what it would take to transfer it over to the XWiki GitHub organization. BTW–I actually did model the jar off of the LDAP extension so that’s already done. The only thing that differs is the naming convention (if that matters). I’m happy to change that to be compatible if necessary.