Zammad ignores REMOTE_USER in api calls?

Infos:

  • Used Zammad version: 4.0.1
  • Installation method (source, package, …): Package
  • Operating system: Debian 10
  • Database + version: Postgres 11
  • Elasticsearch version:
  • Browser + version: Curl

Expected behavior:

  • Zammad uses REMOTE_USER set by NGINX

Actual behavior:

  • Zammad uses authorisation

Steps to reproduce the behavior:

  • Set up Zammad with Authorisation by Webserver (e.g. TLS Client Certificate)
  • call any /api URL

Is this really intended behaviour?