diff --git a/REFERENCE.md b/REFERENCE.md
index 6eb361f..3769eeb 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -50,6 +50,8 @@ vas::realm: 'realm.example.com'
 The following parameters are available in the `vas` class:
 
 * [`manage_nis`](#-vas--manage_nis)
+* [`manage_pam`](#-vas--manage_pam)
+* [`manage_nsswitch`](#-vas--manage_nsswitch)
 * [`package_version`](#-vas--package_version)
 * [`enable_group_policies`](#-vas--enable_group_policies)
 * [`users_allow_entries`](#-vas--users_allow_entries)
@@ -176,6 +178,22 @@ FIXME Missing description
 
 Default value: `true`
 
+##### <a name="-vas--manage_pam"></a>`manage_pam`
+
+Data type: `Boolean`
+
+Include pam class
+
+Default value: `true`
+
+##### <a name="-vas--manage_nsswitch"></a>`manage_nsswitch`
+
+Data type: `Boolean`
+
+Include nsswitch class
+
+Default value: `true`
+
 ##### <a name="-vas--package_version"></a>`package_version`
 
 Data type: `String[1]`
diff --git a/manifests/init.pp b/manifests/init.pp
index e833d04..7425121 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -28,6 +28,12 @@
 # @param manage_nis
 #   FIXME Missing description
 #
+# @param manage_pam
+#   Include pam class
+#
+# @param manage_nsswitch
+#   Include nsswitch class
+#
 # @param package_version
 #   The VAS package version. Used when upgrading.
 #
@@ -473,6 +479,8 @@
 #   Whether TLS connections should be verified or not.
 class vas (
   Boolean $manage_nis                                                     = true,
+  Boolean $manage_pam                                                     = true,
+  Boolean $manage_nsswitch                                                = true,
   String[1] $package_version                                              = 'installed',
   Boolean $enable_group_policies                                          = true,
   Array[String[1]] $users_allow_entries                                   = [],
@@ -744,8 +752,16 @@
     fail("VAS domain mismatch, got <${facts['vas_domain']}> but wanted <${realm}>")
   }
 
-  include nsswitch
-  include pam
+  if $manage_nsswitch {
+    include nsswitch
+  }
+
+  if $manage_pam {
+    include pam
+    $vasinst_require = Class['pam']
+  } else {
+    $vasinst_require = undef
+  }
 
   if $_vas_is_v3 == true {
     # vasgpd service only in VAS 3
@@ -970,7 +986,7 @@
       path    => '/sbin:/bin:/usr/bin:/opt/quest/bin',
       timeout => 1800,
       creates => $once_file,
-      before  => Class['pam'],
+      before  => $vasinst_require,
       require => [Package['vasclnt'], Package['vasgp'], File['keytab'], $require_yp_package],
     }
 
diff --git a/spec/classes/data_types_spec.rb b/spec/classes/data_types_spec.rb
index ee4fac6..d88dbcb 100644
--- a/spec/classes/data_types_spec.rb
+++ b/spec/classes/data_types_spec.rb
@@ -39,10 +39,11 @@
           message: 'expects an Array|index .* expects a String value',
         },
         'Boolean' => {
-          name:    ['manage_nis', 'enable_group_policies', 'domain_change', 'vas_conf_vasd_workstation_mode',
-                    'vas_conf_vasd_workstation_mode_group_do_member', 'vas_conf_vasd_workstation_mode_groups_skip_update',
-                    'vas_conf_vasd_ws_resolve_uid', 'vas_conf_libdefaults_forwardable', 'vas_conf_libvas_site_only_servers',
-                    'vas_conf_libvas_use_dns_srv', 'vas_conf_libvas_use_tcp_only', 'symlink_vastool_binary', 'unjoin_vas'],
+          name:    ['manage_nis', 'manage_pam', 'manage_nsswitch', 'enable_group_policies', 'domain_change',
+                    'vas_conf_vasd_workstation_mode', 'vas_conf_vasd_workstation_mode_group_do_member',
+                    'vas_conf_vasd_workstation_mode_groups_skip_update', 'vas_conf_vasd_ws_resolve_uid',
+                    'vas_conf_libdefaults_forwardable', 'vas_conf_libvas_site_only_servers', 'vas_conf_libvas_use_dns_srv',
+                    'vas_conf_libvas_use_tcp_only', 'symlink_vastool_binary', 'unjoin_vas'],
           valid:   [true, false],
           invalid: ['true', 'false', ['array'], { 'ha' => 'sh' }, 3, 2.42, nil],
           message: 'expects a Boolean',
diff --git a/spec/classes/parameter_spec.rb b/spec/classes/parameter_spec.rb
index c48ed5b..868ecf3 100644
--- a/spec/classes/parameter_spec.rb
+++ b/spec/classes/parameter_spec.rb
@@ -88,6 +88,44 @@
         end
       end
 
+      [true, false].each do |value|
+        describe "with manage_nsswitch set to valid #{value}" do
+          let(:params) do
+            required_params.merge(
+              manage_nsswitch: value,
+              # Class PAM includes nsswitch as well, disable it for test
+              manage_pam: value,
+            )
+          end
+
+          case value
+          when true
+            it { is_expected.to contain_class('nsswitch') }
+          else
+            it { is_expected.not_to contain_class('nsswitch') }
+          end
+        end
+      end
+
+      [true, false].each do |value|
+        describe "with manage_pam set to valid #{value}" do
+          let(:params) do
+            required_params.merge(
+              manage_pam: value,
+            )
+          end
+
+          case value
+          when true
+            it { is_expected.to contain_class('pam') }
+            it { is_expected.to contain_exec('vasinst').with_before('Class[Pam]') }
+          else
+            it { is_expected.not_to contain_class('pam') }
+            it { is_expected.not_to contain_exec('vasinst').with_before('Class[Pam]') }
+          end
+        end
+      end
+
       describe 'with manage_nis set to valid true and nisdomainname is defined' do
         let(:params) do
           required_params.merge(