Hello Team Volvo,
PAM can act as a password vault & it can act as an access method to reach devices. Passwords from the password vault can be used to login to the devices. This does not change the authentication behavior of the device itself.
Q: We would like to configure central user administration without agent on target on endpoint. Is it possible with PAM ?
A: Yes. PAM does not require any agents on the devices that it connects to (although some agents are available to add functionalities). PAM can be used to manage the passwords through various methods. PAM is NOT a replacement for your current user administration system (like AD), it can however interact with these systems to manage passwords and allow authentication.
Q: Can AD users login to Linux machine without having agent on endpoint ?
A: In general Linux is not able to use AD for authentication without some kind of agent installed to broker the connection. PAM does not change this.
Q: Can Local PAM users login to Linux without any agent on endpoint ?
A: Local PAM users in general are only used to login to PAM. It is possible to set PAM up as a SAML IdP, which may allow you to use PAM local accounts for access to other systems. I have not personally tested this situation, but i suspect that this would also require some sort of agent on the linux end to enable this type of authentication.
Doc link on using PAM as IdP:
Act as an Identity Provider (IdP) - CA Privileged Access Manager - 2.8.2 - CA Technologies Documentation
-Christian