--- a/src/constants.rs	Tue Jul 15 01:32:21 2025 -0400
+++ b/src/constants.rs	Wed Jul 16 18:45:20 2025 -0400
@@ -2,7 +2,6 @@
 
 use crate::_doc::{linklist, man7, manbsd, xsso};
 use bitflags::bitflags;
-use libpam_sys_consts::constants;
 use num_enum::{IntoPrimitive, TryFromPrimitive};
 use std::error::Error;
 use std::ffi::c_int;
@@ -10,6 +9,133 @@
 use std::fmt::{Display, Formatter};
 use std::result::Result as StdResult;
 
+#[cfg(features = "link")]
+use libpam_sys_consts::constants as pam_constants;
+
+
+/// The union of constants available in all versions of PAM.
+/// The values here are fictitious and should not be used.
+#[cfg(not(features = "link"))]
+mod pam_constants {
+    pub const PAM_SUCCESS: i32 = 0;
+
+    /// Generates a sequence of values.
+    macro_rules! c_enum {
+        ($first:ident = $value:expr, $($rest:ident,)*) => {
+            c_enum!(($value) $first, $($rest,)*);
+        };
+        (($value:expr) $first:ident, $($rest:ident,)*) => {
+            pub const $first: i32 = $value;
+            c_enum!(($value+1) $($rest,)*);
+        };
+        (($value:expr)) => {};
+    }
+
+    // Since all these values are fictitious, we can start them wherever.
+    // All the items.
+    c_enum!(
+        PAM_SERVICE = 64,
+        PAM_USER,
+        PAM_TTY,
+        PAM_RHOST,
+        PAM_CONV,
+        PAM_AUTHTOK,
+        PAM_OLDAUTHTOK,
+        PAM_RUSER,
+        PAM_USER_PROMPT,
+        // Linux-only items.
+        PAM_FAIL_DELAY,
+        PAM_XDISPLAY,
+        PAM_XAUTHDATA,
+        PAM_AUTHTOK_TYPE,
+        // OpenPAM-only items.
+        PAM_REPOSITORY,
+        PAM_AUTHTOK_PROMPT,
+        PAM_OLDAUTHTOK_PROMPT,
+        PAM_HOST,
+        // Sun-only items.
+        PAM_RESOURCE,
+        PAM_AUSER,
+    );
+
+    // Prompt types.
+    c_enum!(
+        PAM_PROMPT_ECHO_OFF = 96,
+        PAM_PROMPT_ECHO_ON,
+        PAM_ERROR_MSG,
+        PAM_TEXT_INFO,
+        PAM_RADIO_TYPE,
+        PAM_BINARY_PROMPT,
+    );
+
+    // Errors.
+    c_enum!(
+        PAM_OPEN_ERR = 128,
+        PAM_SYMBOL_ERR,
+        PAM_SERVICE_ERR,
+        PAM_SYSTEM_ERR,
+        PAM_BUF_ERR,
+        PAM_PERM_DENIED,
+        PAM_AUTH_ERR,
+        PAM_CRED_INSUFFICIENT,
+        PAM_AUTHINFO_UNAVAIL,
+        PAM_USER_UNKNOWN,
+        PAM_MAXTRIES,
+        PAM_NEW_AUTHTOK_REQD,
+        PAM_ACCT_EXPIRED,
+        PAM_SESSION_ERR,
+        PAM_CRED_UNAVAIL,
+        PAM_CRED_EXPIRED,
+        PAM_CRED_ERR,
+        PAM_NO_MODULE_DATA,
+        PAM_CONV_ERR,
+        PAM_AUTHTOK_ERR,
+        PAM_AUTHTOK_RECOVERY_ERR,
+        PAM_AUTHTOK_LOCK_BUSY,
+        PAM_AUTHTOK_DISABLE_AGING,
+        PAM_TRY_AGAIN,
+        PAM_IGNORE,
+        PAM_ABORT,
+        PAM_AUTHTOK_EXPIRED,
+        PAM_MODULE_UNKNOWN,
+        PAM_BAD_ITEM,
+        PAM_CONV_AGAIN,
+        PAM_INCOMPLETE,
+        // OpenPAM-only errors.
+        PAM_DOMAIN_UNKNOWN,
+        PAM_BAD_HANDLE,
+        PAM_BAD_FEATURE,
+        PAM_BAD_CONSTANT,
+    );
+
+    macro_rules! flag_enum {
+        ($first:ident = $value:expr, $($rest:ident,)*) => {
+            flag_enum!(($value) $first, $($rest,)*);
+        };
+        (($value:expr) $first:ident, $($rest:ident,)*) => {
+            pub const $first: i32 = $value;
+            flag_enum!(($value*2) $($rest,)*);
+        };
+        (($value:expr)) => {};
+    }
+
+    flag_enum!(
+        PAM_SILENT = 256,
+        PAM_DISALLOW_NULL_AUTHTOK,
+        PAM_ESTABLISH_CRED,
+        PAM_DELETE_CRED,
+        PAM_REINITIALIZE_CRED,
+        PAM_REFRESH_CRED,
+
+        PAM_CHANGE_EXPIRED_AUTHTOK,
+
+        PAM_PRELIM_CHECK,
+        PAM_UPDATE_AUTHTOK,
+        PAM_DATA_REPLACE,
+        PAM_DATA_SILENT,
+    );
+}
+
 /// Creates a bitflags! macro, with an extra SILENT element.
 macro_rules! pam_flags {
     (
@@ -24,7 +150,7 @@
             #[repr(transparent)]
             pub struct $name: c_int {
                 /// The module should not generate any messages.
-                const SILENT = constants::PAM_SILENT;
+                const SILENT = pam_constants::PAM_SILENT;
                 $($inner)*
             }
         }
@@ -37,7 +163,7 @@
         /// The module should return [AuthError](ErrorCode::AuthError)
         /// if the user has an empty authentication token, rather than
         /// allowing them to log in.
-        const DISALLOW_NULL_AUTHTOK = constants::PAM_DISALLOW_NULL_AUTHTOK;
+        const DISALLOW_NULL_AUTHTOK = pam_constants::PAM_DISALLOW_NULL_AUTHTOK;
     }
 }
 
@@ -47,11 +173,11 @@
         /// Indicates that the user's authentication token should
         /// only be changed if it is expired. If not passed,
         /// the authentication token should be changed unconditionally.
-        const CHANGE_EXPIRED_AUTHTOK = constants::PAM_CHANGE_EXPIRED_AUTHTOK;
+        const CHANGE_EXPIRED_AUTHTOK = pam_constants::PAM_CHANGE_EXPIRED_AUTHTOK;
 
         /// Don't check if the password is any good (Sun only).
         #[cfg(pam_impl = "Sun")]
-        const NO_AUTHTOK_CHECK = constants::PAM_NO_AUTHTOK_CHECK;
+        const NO_AUTHTOK_CHECK = pam_constants::PAM_NO_AUTHTOK_CHECK;
     }
 }
 
@@ -105,13 +231,13 @@
     /// The credential management action that should take place.
     CredAction {
         /// Set the user's credentials from this module. Default if unspecified.
-        Establish = constants::PAM_ESTABLISH_CRED,
+        Establish = pam_constants::PAM_ESTABLISH_CRED,
         /// Revoke the user's credentials established by this module.
-        Delete = constants::PAM_DELETE_CRED,
+        Delete = pam_constants::PAM_DELETE_CRED,
         /// Fully reinitialize the user's credentials from this module.
-        Reinitialize = constants::PAM_REINITIALIZE_CRED,
+        Reinitialize = pam_constants::PAM_REINITIALIZE_CRED,
         /// Extend the lifetime of the user's credentials from this module.
-        Refresh = constants::PAM_REFRESH_CRED,
+        Refresh = pam_constants::PAM_REFRESH_CRED,
     }
 }
 
@@ -133,9 +259,9 @@
     AuthtokAction {
         /// This is a preliminary call to check if we're ready to change passwords
         /// and that the new password is acceptable.
-        PreliminaryCheck = constants::PAM_PRELIM_CHECK,
+        PreliminaryCheck = pam_constants::PAM_PRELIM_CHECK,
         /// You should actually update the password.
-        Update = constants::PAM_UPDATE_AUTHTOK,
+        Update = pam_constants::PAM_UPDATE_AUTHTOK,
     }
 }
 
@@ -168,49 +294,49 @@
 #[non_exhaustive] // C might give us anything!
 #[repr(i32)]
 pub enum ErrorCode {
-    OpenError = constants::PAM_OPEN_ERR,
-    SymbolError = constants::PAM_SYMBOL_ERR,
-    ServiceError = constants::PAM_SERVICE_ERR,
-    SystemError = constants::PAM_SYSTEM_ERR,
-    BufferError = constants::PAM_BUF_ERR,
-    PermissionDenied = constants::PAM_PERM_DENIED,
-    AuthenticationError = constants::PAM_AUTH_ERR,
-    CredentialsInsufficient = constants::PAM_CRED_INSUFFICIENT,
-    AuthInfoUnavailable = constants::PAM_AUTHINFO_UNAVAIL,
-    UserUnknown = constants::PAM_USER_UNKNOWN,
-    MaxTries = constants::PAM_MAXTRIES,
-    NewAuthTokRequired = constants::PAM_NEW_AUTHTOK_REQD,
-    AccountExpired = constants::PAM_ACCT_EXPIRED,
-    SessionError = constants::PAM_SESSION_ERR,
-    CredentialsUnavailable = constants::PAM_CRED_UNAVAIL,
-    CredentialsExpired = constants::PAM_CRED_EXPIRED,
-    CredentialsError = constants::PAM_CRED_ERR,
-    NoModuleData = constants::PAM_NO_MODULE_DATA,
-    ConversationError = constants::PAM_CONV_ERR,
-    AuthTokError = constants::PAM_AUTHTOK_ERR,
-    AuthTokRecoveryError = constants::PAM_AUTHTOK_RECOVERY_ERR,
-    AuthTokLockBusy = constants::PAM_AUTHTOK_LOCK_BUSY,
-    AuthTokDisableAging = constants::PAM_AUTHTOK_DISABLE_AGING,
-    TryAgain = constants::PAM_TRY_AGAIN,
-    Ignore = constants::PAM_IGNORE,
-    Abort = constants::PAM_ABORT,
-    AuthTokExpired = constants::PAM_AUTHTOK_EXPIRED,
+    OpenError = pam_constants::PAM_OPEN_ERR,
+    SymbolError = pam_constants::PAM_SYMBOL_ERR,
+    ServiceError = pam_constants::PAM_SERVICE_ERR,
+    SystemError = pam_constants::PAM_SYSTEM_ERR,
+    BufferError = pam_constants::PAM_BUF_ERR,
+    PermissionDenied = pam_constants::PAM_PERM_DENIED,
+    AuthenticationError = pam_constants::PAM_AUTH_ERR,
+    CredentialsInsufficient = pam_constants::PAM_CRED_INSUFFICIENT,
+    AuthInfoUnavailable = pam_constants::PAM_AUTHINFO_UNAVAIL,
+    UserUnknown = pam_constants::PAM_USER_UNKNOWN,
+    MaxTries = pam_constants::PAM_MAXTRIES,
+    NewAuthTokRequired = pam_constants::PAM_NEW_AUTHTOK_REQD,
+    AccountExpired = pam_constants::PAM_ACCT_EXPIRED,
+    SessionError = pam_constants::PAM_SESSION_ERR,
+    CredentialsUnavailable = pam_constants::PAM_CRED_UNAVAIL,
+    CredentialsExpired = pam_constants::PAM_CRED_EXPIRED,
+    CredentialsError = pam_constants::PAM_CRED_ERR,
+    NoModuleData = pam_constants::PAM_NO_MODULE_DATA,
+    ConversationError = pam_constants::PAM_CONV_ERR,
+    AuthTokError = pam_constants::PAM_AUTHTOK_ERR,
+    AuthTokRecoveryError = pam_constants::PAM_AUTHTOK_RECOVERY_ERR,
+    AuthTokLockBusy = pam_constants::PAM_AUTHTOK_LOCK_BUSY,
+    AuthTokDisableAging = pam_constants::PAM_AUTHTOK_DISABLE_AGING,
+    TryAgain = pam_constants::PAM_TRY_AGAIN,
+    Ignore = pam_constants::PAM_IGNORE,
+    Abort = pam_constants::PAM_ABORT,
+    AuthTokExpired = pam_constants::PAM_AUTHTOK_EXPIRED,
     #[cfg(feature = "basic-ext")]
-    ModuleUnknown = constants::PAM_MODULE_UNKNOWN,
+    ModuleUnknown = pam_constants::PAM_MODULE_UNKNOWN,
     #[cfg(feature = "basic-ext")]
-    BadItem = constants::PAM_BAD_ITEM,
+    BadItem = pam_constants::PAM_BAD_ITEM,
     #[cfg(feature = "linux-pam-ext")]
-    ConversationAgain = constants::PAM_CONV_AGAIN,
+    ConversationAgain = pam_constants::PAM_CONV_AGAIN,
     #[cfg(feature = "linux-pam-ext")]
-    Incomplete = constants::PAM_INCOMPLETE,
+    Incomplete = pam_constants::PAM_INCOMPLETE,
     #[cfg(feature = "openpam-ext")]
-    DomainUnknown = constants::PAM_DOMAIN_UNKNOWN,
+    DomainUnknown = pam_constants::PAM_DOMAIN_UNKNOWN,
     #[cfg(feature = "openpam-ext")]
-    BadHandle = constants::PAM_BAD_HANDLE,
+    BadHandle = pam_constants::PAM_BAD_HANDLE,
     #[cfg(feature = "openpam-ext")]
-    BadFeature = constants::PAM_BAD_FEATURE,
+    BadFeature = pam_constants::PAM_BAD_FEATURE,
     #[cfg(feature = "openpam-ext")]
-    BadConstant = constants::PAM_BAD_CONSTANT,
+    BadConstant = pam_constants::PAM_BAD_CONSTANT,
 }
 
 /// A PAM-specific Result type with an [ErrorCode] error.
@@ -280,12 +406,12 @@
     fn test_enums() {
         assert_eq!(Ok(()), ErrorCode::result_from(0));
         assert_eq!(
-            constants::PAM_SESSION_ERR,
+            pam_constants::PAM_SESSION_ERR,
             ErrorCode::result_to_c::<()>(Err(ErrorCode::SessionError))
         );
         assert_eq!(
             Err(ErrorCode::Abort),
-            ErrorCode::result_from(constants::PAM_ABORT)
+            ErrorCode::result_from(pam_constants::PAM_ABORT)
         );
         assert_eq!(Err(ErrorCode::SystemError), ErrorCode::result_from(423));
     }
@@ -297,9 +423,9 @@
         assert_eq!(
             Ok((
                 AuthtokAction::Update,
-                AuthtokFlags::from_bits_retain(0x7fff0000)
+                AuthtokFlags::from_bits_retain(0x7f000000)
             )),
-            AuthtokAction::extract(0x7fff0000 | constants::PAM_UPDATE_AUTHTOK)
+            AuthtokAction::extract(0x7f000000 | pam_constants::PAM_UPDATE_AUTHTOK)
         );
         CredAction::extract(0xffff).expect_err("too many set");
         assert_eq!(
@@ -308,7 +434,7 @@
         );
         assert_eq!(
             Ok((CredAction::Delete, BaseFlags::from_bits_retain(0x55000000))),
-            CredAction::extract(0x55000000 | constants::PAM_DELETE_CRED)
+            CredAction::extract(0x55000000 | pam_constants::PAM_DELETE_CRED)
         );
     }
 }