GitLab smartcard authentication

Some system information: RHEL 8.6 (FIPS, hardened) GitLab 15.6.0-ee.

Using GitLab EE (Activated), and I am looking for more information on how to implement SC auth on our installation. GitLab doesn’t really go into too much detail on how to implement local x.509 databases in their documentation. We are not really interested in implementing a LDAP server, is this possible? Here some issues I feel like I may not understand fully, let each question be asked while knowing there is no LDAP server present:

  1. Out of the box with Omnibus, we set smartcard auth to enabled, without SAN extensions. However, when we pass an authentication request to the server, we get an error signing in. Is there a specific way we need to setup a user account for authentication information to match to a user from the smartcard? (e.g add something from the cert to the username field?) We do not want user account to just be made when smartcards are used, so registrations are disabled. Also, with registration enabled, it still does not work.

  2. GitLab states that:
    “To use a smartcard with an X.509 certificate to authenticate against a local database with GitLab, CN and emailAddress must be defined in the certificate”

Does this mean that the emailAddress and CN must exist in the Subject area of the cert? We have an email address in the SAN portion of our certs. Also, I am unsure of what they mean by local X.509 database? Is this like a mongodb or something that we must setup?

  1. We have a valid TLS certificate issued by our local CA (Full chain/key in PEM), and we have loaded our organizations root, and intermediate certs on our system and updated our CA store. We point our GitLab installation to /etc/pki/ca-trust/extracted/pem/tls-bundle.pem in our OmniBus rb for CAs. Also, made a symbolic link in /etc/gitlab/trusted-certs to the same file. Would this be sufficient to allow GitLab utilize our CAs?
1 Like


Where can I go to get support for these types of issues?


This is a community forum, so people help out pretty much with the areas they are comfortable in, and have experience in. Sadly it seems there isn’t anyone visiting that has experience in smartcard configuration with Gitlab.

That leaves you with the option of purchasing a Premium Gitlab subscription to then be able to open a support ticket with Gitlab to get assistance with your problem (which would normally be opened here: Obviously, if you open a ticket here and don’t have Gitlab Premium or higher, then you won’t get a response.

Otherwise, it’s just a case of following the documentation and trying to figure it out: Smartcard authentication | GitLab

Local database is the users registered within Gitlab itself, not using an external user source like Active Directory/LDAP or Oauth2 or some other method perhaps. The documentation does explain what information should be in the certificate being used, so CN and emailAddress. You can do it with or without SAN extension, according to the documentation.

Hope you figure it out and get it working, good luck. Unfortunately, I cannot help anymore than that.