I wanted to use LDAP auth for Miniflux. For some reason I had trouble getting the header passed through successfully. I haven't needed this type of a setup for years and I don't remember it being this finicky, but it kept failing to pass through the username in the configured header. This documents it in a working state.
Apache vhost config:
<VirtualHost *:443>
ServerName feeds.feld.me
DocumentRoot /usr/local/www/apache24/data/
SSLEngine on
# Other SSL etc options removed for brevity
# Require LDAP auth for most requests except POST
<LocationMatch "^/.*">
AuthType Basic
AuthName Miniflux
AuthBasicProvider ldap
AuthLDAPURL ldaps://ldap.d.feld.me:636/ou=users,dc=feld,dc=me?uid
AuthLDAPRemoteUserAttribute uid
<RequireAny>
Require method POST
Require valid-user
#Require ldap-group cn=yourgroup,...
</RequireAny>
</LocationMatch>
# API requests to /accounts/ and /reader/ should be permitted without LDAP auth
# so feed readers like NetNewsWire using the FreshRSS protocol work
<LocationMatch "^/(accounts|reader)/.*">
AuthType None
Require all granted
</LocationMatch>
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set REMOTE_USER "%{PROXY_USER}e"
ProxyRequests Off
ProxyPass "/" "http://feeds.d.feld.me:8000/"
ProxyPassReverse "/" "http://feeds.d.feld.me:8000/"
</VirtualHost>
Miniflux envs:
DISABLE_LOCAL_AUTH=true
AUTH_PROXY_HEADER=REMOTE_USER
AUTH_PROXY_USER_CREATION=true
Now it should accept your LDAP users automagically.