I have a Hyperledger Fabric Blockchain using V1.4, I am connected through LDAP to my organization's Active Directory and I want to be able to change the roles of my users from my AD.
Basically I need two roles: user and admin, a user can run contracts and an admin can install and upgrade contracts.
So what I'm trying to do its to add a converter in my ldap configuration on fabric-ca-server-config.yaml and a map that changes my "memberOf" AD property to hf.Registrar.Roles like this:
ldap:
url: ldap://CN=USER,DC=ORG1,DC=com:password@ldapserver:389/DC=ORG1,DC=com
userfilter: (userPrincipalName=%s)
attribute:
names: ['userPrincipalName','memberOf']
converters:
- name: hf.Revoker
value: attr("userPrincipalName") =~ "revoker*"
- name: hf.Registrar.Roles
value: map(attr("memberOf"),"roles")
maps:
roles:
- name: CN=BC-CLIENT,DC=ORG1,DC=com
value: client
- name: CN=BC-USER,DC=ORG1,DC=com
value: user
- name: CN=BC-ADMIN,DC=ORG1,DC=com
value: admin
- name: CN=BC-PEER,DC=ORG1,DC=com
value: peer
- name: CN=BC-ORDERER,DC=ORG1,DC=com
value: orderer
So far, so good, I'm able to enroll a user using nodejs like this:
const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);
const enrollment = await ca.enroll({
enrollmentID: adminId,
enrollmentSecret: adminSecret,
});
const identity = X509WalletMixin.createIdentity('Org1MSP', enrollment.certificate, enrollment.key.toBytes());
await wallet.import(adminId, identity);
With this user I can query and invoke contracts but when I try to install a contract I get the following error:
install proposal was bad Error: access denied for [install]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org1MSP]: The identity does not contain OU [ADMIN], MSP: [Org1MSP]],Error: access denied for [install]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org1MSP]: The identity does not contain OU [ADMIN], MSP: [Org1MSP]]
I can see that the mapping its working well in the CA logs, but then I guess hf.Registrar.Roles its not the property that I need.
How can I accomplish this?
Thanks
UPDATE:
I added an OU property to the converters like this:
ldap:
attribute:
converters:
- name: OU
value: map(attr("memberOf"),"roles")
I can see that the conversion its getting done in the CA.
Evaluating expression for attribute 'OU' from LDAP user 'user@company.com'
Values for LDAP attribute 'memberOf' are '[CN=BC-CLIENT,DC=ORG1,DC=com CN=BC-USER,DC=ORG1,DC=com CN=BC-ADMIN,DC=ORG1,DC=com]'
Evaluated expression for attribute 'OU'; parms: map[CN=USER,DC=ORG1,DC=com affiliation:[]]; result: client,admin,user
But I'm still getting the same error, so can't I map ldap attributes to the certificate?
Also here are my NodeOUs
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: orderer
Thanks
SUMMARY
Thanks to Yacov help I found out that the certificate created from LDAP always gets the client OU, and you can't change it, but it also has the OUs from the user from LDAP so you could change the NodeOUs values and map them to your organization's OU, for me that wont work as I can only change the memberOf of my users not the OUs.
Thanks!
The certificate needs to have the OU that defines the admin. Look at the config.yaml in your MSP folder (in the peer - MSPCONFIGPATH) and see what OU defines the administrator.
You can also try to put the certificate that you use in the admincerts folder of the MSP of the peer, it should also make it an admin.