Ensure that apxs (Redhat) / apxs2 (Debian) is installed.
apxs2 -c -i -a mod_auth_override.c
Where needed, add the AuthOverride directive to cause REMOTE_USER to be updated.
<Directory "/srv/www.example.com/htdocs">
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/srv/www.example.com/etc/htpasswd"
Require valid-user
RequestHeaderPlus set SOME_HEADER bob
AuthOverride SOME_HEADER
</Directory>
Suppose that the 'htpasswd' file contains an entry for a user 'alice'.
After successful authentication (based on the standard behaviour of mod_authn_file), REMOTE_USER is set to 'alice'.
This module, mod_auth_override, implements a fixhup hook that will update REMOTE_USER to the value of the request header, SOME_HEADER (in this case, 'bob').
It is critical, from a security perspective, that SOME_HEADER be set by an AuthN or AuthZ provider such as mod_auth_cas rather than passed in by the client.
RequestHeaderPlus, from mod_setenvifplus, is used in the example above solely to demonstrate the use of AuthOverride.
It is assumed that the request header used with AuthOverride will be set by mod_auth_cas.
For example, suppose that the orginal value of REMOTE_USER as set by mod_auth_cas is 'alice' but that the value desired by the application is '[email protected]' and that this desired value is available from the CAS_eduPersonPrincipalName header in the request; then the configuration could be:
<IfModule mod_auth_cas.c>
# ... other CAS directives ...
CASValidateSAML on
CASAuthoritative on
CASAttributePrefix CAS_
</IfModule>
<VirtualHost www.example.com:443>
# ... other VirtualHost directives ...
<IfModule mod_auth_cas.c>
<Location "/secure">
AuthType CAS
CASScrubRequestHeaders on
CASAuthNHeader CAS_user
Require cas-attribute eduPersonPrincipalName~.+
AuthOverride CAS_eduPersonPrincipalName
</Location>
</IfModule>
</VirtualHost>
Use of the combination of directives 'CASScrubRequestHeaders' and 'Require cas-attribute' ensures that the header used with AuthOverride is, in fact, set by mod_auth_cas.
PLEASE NOTE that a recent version of mod_auth_cas is required for 'Require cas-attribute' functionality: specifically, one that supports the 'CASAuthoritative' directive.
Patches providing rpm or deb packaging welcome.