The idea of unified authentication behind a single API like PAM is very attractive to me. However, PAM seems to be more oriented toward shell authentication and offer a rather limited set of features from its API and require system-wide configuration from a file.
I'm looking for something like this for a CGI (C language) web interface that authenticate users using Radius, or with a Postegresql. At the moment, different code is used for one or the other. In the future, it would be nice to extend the set of authentication mechanisms to LDAP, windows active directory, mysql etc. but implementing them all by hand would be long and painful.
So libpam still is the winner, but the main problem is that additional information other than just login, name, password or home directory must be recorded. Also, file configuration must be avoided. Preferably, the user should configure everything from the program's own configuration file. Finally, small footprint is important as it is intended for an embedded application and high level languages such as perl, python, php are avoided.
How would you deal with that ?