Skip to content

G
gitlab-ce
Commit 8c7b06ce authored by Evan Read's avatar Evan Read
Browse files
Options

Merge branch 'docs-10526-smartcard_support_different_hostname' into 'master' 

Doc for making hostname configurable for smartcard authentication

See merge request gitlab-org/gitlab!27000
parents 36c6c71f 7bc285d5
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 4 deletions
doc/administration/auth/smartcard.md
View file @ 8c7b06ce
...@@ -49,7 +49,7 @@ Certificate: ...@@ -49,7 +49,7 @@ Certificate:
Subject: CN=Gitlab User, emailAddress=gitlab-user@example.com Subject: CN=Gitlab User, emailAddress=gitlab-user@example.com
``` ```
### Authentication against a local database with X.509 certificates and SAN extensions **(PREMIUM ONLY)** ### Authentication against a local database with X.509 certificates and SAN extension
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/8605) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.3. > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/8605) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.3.
...@@ -135,6 +135,12 @@ attribute. As a prerequisite, you must use an LDAP server that: ...@@ -135,6 +135,12 @@ attribute. As a prerequisite, you must use an LDAP server that:
listen *:3444 ssl; listen *:3444 ssl;
``` ```
- It can also be configured to run on a different hostname:
```plaintext
listen smartcard.example.com:443 ssl;
```
- The additional NGINX server context must be configured to require the client - The additional NGINX server context must be configured to require the client
side certificate: side certificate:
...@@ -156,7 +162,7 @@ attribute. As a prerequisite, you must use an LDAP server that: ...@@ -156,7 +162,7 @@ attribute. As a prerequisite, you must use an LDAP server that:
```plaintext ```plaintext
server { server {
listen *:3444 ssl; listen smartcard.example.com:3443 ssl;
# certificate for configuring SSL # certificate for configuring SSL
ssl_certificate /path/to/example.com.crt; ssl_certificate /path/to/example.com.crt;
...@@ -195,10 +201,16 @@ attribute. As a prerequisite, you must use an LDAP server that: ...@@ -195,10 +201,16 @@ attribute. As a prerequisite, you must use an LDAP server that:
# Path to a file containing a CA certificate # Path to a file containing a CA certificate
ca_file: '/etc/ssl/certs/CA.pem' ca_file: '/etc/ssl/certs/CA.pem'
# Port where the client side certificate is requested by NGINX # Host and port where the client side certificate is requested by the
client_certificate_required_port: 3444 # webserver (NGINX/Apache)
client_certificate_required_host: smartcard.example.com
client_certificate_required_port: 3443
``` ```
NOTE: **Note**
Assign a value to at least one of the following variables:
`client_certificate_required_host` or `client_certificate_required_port`.
1. Save the file and [restart](../restart_gitlab.md#installations-from-source) 1. Save the file and [restart](../restart_gitlab.md#installations-from-source)
GitLab for the changes to take effect. GitLab for the changes to take effect.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7