Add active directory + smart card settings to gitlab.yml

Andrew Evans · balasankarc · commit aab55e28a6d6 · 2024-02-19T05:15:25.000Z
An upcoming change in GitLab will introduce two new settings in the
`ldap:` -&gt; `servers:` subsections, to allow authenticating users via
smart card against LDAP servers that are Active Directory based. The
configuration is per-server-specific, so should be placed in the same
configuration block as other LDAP settings.

This change exposes the new settings and adds defaults to omnibus. The
`smartcard_ad_cert_format` setting should default to `nil` / off, and
administrators must opt-in to the new behavior by configuring a value
for it.

Changelog: added
diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template
@@ -521,6 +521,8 @@ external_url 'GENERATED_EXTERNAL_URL'
 #     verify_certificates: true
 #     smartcard_auth: false
 #     active_directory: true
+#     smartcard_ad_cert_field: 'altSecurityIdentities'
+#     smartcard_ad_cert_format: null # 'issuer_and_serial_number', 'issuer_and_subject' , 'principal_name'
 #     allow_username_or_email_login: false
 #     lowercase_usernames: false
 #     block_auto_created_users: false
@@ -542,6 +544,8 @@ external_url 'GENERATED_EXTERNAL_URL'
 #     verify_certificates: true
 #     smartcard_auth: false
 #     active_directory: true
+#     smartcard_ad_cert_field: 'altSecurityIdentities'
+#     smartcard_ad_cert_format: null # 'issuer_and_serial_number', 'issuer_and_subject' , 'principal_name'
 #     allow_username_or_email_login: false
 #     lowercase_usernames: false
 #     block_auto_created_users: false
diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -301,6 +301,8 @@
 default['gitlab']['gitlab_rails']['ldap_sync_ssh_keys'] = nil
 default['gitlab']['gitlab_rails']['ldap_sync_time'] = nil
 default['gitlab']['gitlab_rails']['ldap_active_directory'] = nil
+default['gitlab']['gitlab_rails']['ldap_smartcard_ad_cert_field'] = nil
+default['gitlab']['gitlab_rails']['ldap_smartcard_ad_cert_format'] = nil
 ####
 
 default['gitlab']['gitlab_rails']['smartcard_enabled'] = false
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@@ -791,6 +791,8 @@ production: &base
     ## EE only
     group_base: <%= quote(@ldap_group_base) %>
     admin_group: <%= quote(@ldap_admin_group) %>
+    smartcard_ad_cert_field: <%= quote(@ldap_smartcard_ad_cert_field) %>
+    smartcard_ad_cert_format: <%= quote(@ldap_smartcard_ad_cert_format) %>
     sync_ssh_keys: <%= quote(@ldap_sync_ssh_keys) %>
     sync_time: <%= @ldap_sync_time %>
   <% end %>
diff --git a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/ldap_spec.rb b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/ldap_spec.rb
@@ -20,6 +20,8 @@
           password: nil,
           port: nil,
           prevent_ldap_sign_in: false,
+          smartcard_ad_cert_field: nil,
+          smartcard_ad_cert_format: nil,
           sync_ssh_keys: nil,
           sync_time: nil,
           uid: nil,
@@ -55,7 +57,10 @@
                   encryption: 'plain',
                   bind_dn: 'dc=example,dc=com',
                   password: 's3cr3t',
+                  active_directory: true,
                   smartcard_auth: 'required',
+                  smartcard_ad_cert_field: 'extendedAttribute1',
+                  smartcard_ad_cert_format: 'rfc822_name',
                   base: '',
                   user_filter: '',
                 }
@@ -87,7 +92,10 @@
                 encryption: 'plain',
                 bind_dn: 'dc=example,dc=com',
                 password: 's3cr3t',
+                active_directory: true,
                 smartcard_auth: 'required',
+                smartcard_ad_cert_field: 'extendedAttribute1',
+                smartcard_ad_cert_format: 'rfc822_name',
                 base: '',
                 user_filter: '',
               }
@@ -113,6 +121,8 @@
               ldap_method: 'plain',
               ldap_bind_dn: 'foobar',
               ldap_active_directory: 'asdf',
+              ldap_smartcard_ad_cert_field: 'extendedAttribute2',
+              ldap_smartcard_ad_cert_format: 'subject',
               ldap_allow_username_or_email_login: false,
               ldap_lowercase_usernames: true,
               ldap_group_base: 'dc-example.com',
@@ -127,6 +137,8 @@
           expected_output = {
             enabled: true,
             prevent_ldap_sign_in: false,
+            smartcard_ad_cert_field: 'extendedAttribute2',
+            smartcard_ad_cert_format: 'subject',
             sync_time: 10,
             host: 'primary.ldap',
             port: 389,
