The PAM Idea is very simple: Any application require authentication or want to authenticate users can link against PAM. But suppose that we have 2 methods for authentication: password files and ldap for example, In this case if we are not using PAM, and we are writing an application to authenticate the users, we'll have to implement both authentication methods, and if we want to add a 3rd method later, then we'll have to implement it again. This maybe simple for 1 or 2 apps. but now we have login, ftpd, sshd, telnetd, samba, ........ All of them need authentication.
The idea was simple, PAM, We'll write a library, this library'll be asked to do the actual authentication. and various authentication backends can be implemented as "plugins" or modules, So when we want to add a new authentication method "NIS For example" we'll have to only write a "module" for PAM and then all the PAM aware application can use it immediately. So to authenticate a user via a PAM aware application, The application request that the user be authenticated, and PAM'll handle all the dirty stuff ;-)
