Some system information: RHEL 8.6 (FIPS, hardened) GitLab 15.6.0-ee.
Using GitLab EE (Activated), and I am looking for more information on how to implement SC auth on our installation. GitLab doesn’t really go into too much detail on how to implement local x.509 databases in their documentation. We are not really interested in implementing a LDAP server, is this possible? Here some issues I feel like I may not understand fully, let each question be asked while knowing there is no LDAP server present:
Out of the box with Omnibus, we set smartcard auth to enabled, without SAN extensions. However, when we pass an authentication request to the server, we get an error signing in. Is there a specific way we need to setup a user account for authentication information to match to a user from the smartcard? (e.g add something from the cert to the username field?) We do not want user account to just be made when smartcards are used, so registrations are disabled. Also, with registration enabled, it still does not work.
GitLab states that:
“To use a smartcard with an X.509 certificate to authenticate against a local database with GitLab, CN and emailAddress must be defined in the certificate”
Does this mean that the emailAddress and CN must exist in the Subject area of the cert? We have an email address in the SAN portion of our certs. Also, I am unsure of what they mean by local X.509 database? Is this like a mongodb or something that we must setup?
- We have a valid TLS certificate issued by our local CA (Full chain/key in PEM), and we have loaded our organizations root, and intermediate certs on our system and updated our CA store. We point our GitLab installation to /etc/pki/ca-trust/extracted/pem/tls-bundle.pem in our OmniBus rb for CAs. Also, made a symbolic link in /etc/gitlab/trusted-certs to the same file. Would this be sufficient to allow GitLab utilize our CAs?