GnuCash and simple MySQL/MariaDB PAM authentication

1. PAM (Plugable Authentication Module)
2. MariaDB/MySQL
3. Libdbi and libdbd-mysql driver
4. GnuCash

Starting off with PAM, you need to have your system configured for your authentication method. I am using active directory  and the users are all authenitcated against it. I will not go into detail here.

Next, let's talk about MariaDB (MySQL). MariaDB supports plugins. Two supplied plugins are the cleartext and the dialog plugin. We are focussing here on the cleartext plugin as the dialog plugin adds additional copmlexity and support requirements. The cleartext plugin works with simple username/password (dialog can even add two-factor authentication and other features). Your database server must have the plugin enabled. Find more information here: https://mariadb.com/kb/en/authentication-plugin-pam.

Libdbi is a library used by GnuCash to support multiple database backends. As Libdbi does not deliver all native MariaDB functions, it is a bit limiting in the setup. This one is the key though as libdbi is the interface between GnuCash and the database. To cut it short, there is no dialog plugin support built into libdbi so you would have to rewrite the code. If you are using the MySQL connector for C, you need to enable the cleartext plugin on connection. This is not possible without modifying the source code and recompiling (but should be easy by just adding a line of code). So this leaves us with the MariaDB Connector for C. Only latest versions (I have tested 3.19) have the cleartext plugin enabled by default. So you need to upgrade your connector manually or wait until your repository supplies this version. Or you grap it from the OS Tools copr repository:
dnf -y enable sbluhm/os-tools
dnf -y install mariadb-connector-c # or update it.

This is it. Now you should be able to use the PAM authentication of the DB OS. There are no changes for cleartext required from GnuCash side. Dialog plugin certainly is different....

Note: If you use the cleartext plugin, you should enable link encryption as the password is submitted in clear text!