mod_authnz_ldap for Apache and the mystery of the missing REMOTE_USER

New changes in the Nagios instance. Those who use Nagios with authentication, probably know that it will break it the “REMOTE_USER” variable is not set.

This was the case for my Nagios environment after the upgrade, which I verified using a generic printenv script.

I modified the configurations for ldap authentication and most of the sites using LDAP worked fine with the exception of Nagios, where the lack of the “REMOTE_USER” environment variable resulted in a very ugly server errors.

The Apache documentation suggests that the “AuthLDAPRemoteUserAttribute” is necessary and should default to uid, which is how my LDAP system is configured. Well, sure, but it’s not working ….

Some more digging also revealed that the “AuthType” (in my case Basic) also introduces another option: “AuthBasicProvider”. This seems to default to file. Once I set this to ‘ldap’ nagios started working again.

To make a long story short, ldap authentication and authorization still works, but things have been more modularized, which requires some modification to the Apache configs. The modules that seem to interact and are required to some extent are: mod_authnz_ldap, mod_auth_basic, mod_auth_user, mod_auth_digest. Of course there are some more like mod_auth_host for host based authentication ….

Oh, and if you are doing some fancy authentication against multiple requirements, like host and user and you are using LDAP, then you probably want to look at “AuthzLDAPAuthoritative” as well. It defaults to ‘on’ but i’ve had to switch it to ‘off’ for several sites.

\\@matthias

One Reply to “mod_authnz_ldap for Apache and the mystery of the missing REMOTE_USER”

  1. Hello Mathias,

    I am facing the same problem in PHP where the REMOTE_USER variable is getting null. Below is my ldap configuration

    vhost file ldap details


    AuthType Basic
    AuthBasicProvider human serviceaccount

    AuthName “nonCT”

    AuthzLDAPAuthoritative Off
    Require valid-user

    separate vhost file forldap authentication


    AuthLDAPURL “ldap://ldap-eu-qas.test.com:389/ou=Users,o=test?cn”
    AuthLDAPBindDN “cn=saphpdtap,ou=users,ou=e-directory,ou=services,o=test”
    AuthLDAPBindPassword XXXXX


    AuthLDAPURL “ldap://ldap-eu-qas.test.com:389/ou=Users,ou=e-Directory,ou=Services,o=test?cn”
    AuthLDAPBindDN “cn=saphpdtap,ou=users,ou=e-directory,ou=services,o=test”
    AuthLDAPBindPassword “XXXXX”

    Can you please help out.

    Regards,
    Afzal

Leave a Reply

Your email address will not be published. Required fields are marked *