in reply to Hide DBI password in scripts
A few specific examples:
As of MySQL 5.5.16, MySQL Enterprise Edition supports an authentication method that enables MySQL Server to use PAM (Pluggable Authentication Modules) to authenticate MySQL users. PAM enables a system to use a standard interface to access various kinds of authentication methods, such as Unix passwords or an LDAP directory. (...) PAM authentication enables MySQL Server to accept connections from users defined outside the MySQL grant tables and that authenticate using methods supported by PAM. (...) PAM authentication can return to MySQL a user name different from the login user, based on the groups the external user is in and the authentication string provided. This means that the plugin can return the MySQL user that defines the privileges the external PAM-authenticated user should have. For example, a user named joe can connect and have the privileges of the user named developer.
When you are developing applications that are meant to face the internet, you typically have to roll-your-own authentication and authorization infrastructure. But, in an intranet environment, as I said previously, these practices are usually not allowed. Developers often develop applications that will run against production databases which they don’t have any access to. These databases are not secured using user-names and passwords: they are secured with rules that are centrally managed. Best-practices and an increasing body of laws throughout the world mandate these requirements. The enterprise centrally manages the dual concerns of authentication and authorization, and does not permit any installed application or subsystem to use alternate means.