mod_authnz_ldap for Apache and the mystery of the missing REMOTE_USER

New changes in the Nagios instance. Those who use Nagios with authentication, probably know that it will break it the “REMOTE_USER” variable is not set.

This was the case for my Nagios environment after the upgrade, which I verified using a generic printenv script.

I modified the configurations for ldap authentication and most of the sites using LDAP worked fine with the exception of Nagios, where the lack of the “REMOTE_USER” environment variable resulted in a very ugly server errors.

The Apache documentation suggests that the “AuthLDAPRemoteUserAttribute” is necessary and should default to uid, which is how my LDAP system is configured. Well, sure, but it’s not working ….

Some more digging also revealed that the “AuthType” (in my case Basic) also introduces another option: “AuthBasicProvider”. This seems to default to file. Once I set this to ‘ldap’ nagios started working again.

To make a long story short, ldap authentication and authorization still works, but things have been more modularized, which requires some modification to the Apache configs. The modules that seem to interact and are required to some extent are: mod_authnz_ldap, mod_auth_basic, mod_auth_user, mod_auth_digest. Of course there are some more like mod_auth_host for host based authentication ….

Oh, and if you are doing some fancy authentication against multiple requirements, like host and user and you are using LDAP, then you probably want to look at “AuthzLDAPAuthoritative” as well. It defaults to ‘on’ but i’ve had to switch it to ‘off’ for several sites.


One Reply to “mod_authnz_ldap for Apache and the mystery of the missing REMOTE_USER”

  1. Hello Mathias,

    I am facing the same problem in PHP where the REMOTE_USER variable is getting null. Below is my ldap configuration

    vhost file ldap details

    AuthType Basic
    AuthBasicProvider human serviceaccount

    AuthName “nonCT”

    AuthzLDAPAuthoritative Off
    Require valid-user

    separate vhost file forldap authentication

    AuthLDAPURL “ldap://,o=test?cn”
    AuthLDAPBindDN “cn=saphpdtap,ou=users,ou=e-directory,ou=services,o=test”
    AuthLDAPBindPassword XXXXX

    AuthLDAPURL “ldap://,ou=e-Directory,ou=Services,o=test?cn”
    AuthLDAPBindDN “cn=saphpdtap,ou=users,ou=e-directory,ou=services,o=test”
    AuthLDAPBindPassword “XXXXX”

    Can you please help out.


Leave a Reply

Your email address will not be published. Required fields are marked *