>All PAM implementations I've seen are needlessly complex and difficult to 
>modify and use in a large-ish environment. On a system with 40,000 busy user 
>accounts, every PAM I've seen bogs down to the point where logins can time 
>out before the PAM auth returns. Compiling out PAM support is kind of a pain.

So, what exactly was the back-end authentication system that PAM was
using in this case? I mean, I'm not saying PAM is perfect, but it's
really just a shim to some other kind of authentication system.  I have
a hard time believing, for example, a PAM module that implemented
the traditional Unix /etc/passwd authentication would really impact
performace at all.  And if it was something like LDAP ... is it PAM
that was at fault, or LDAP?

--Ken