I have a Hyperledger Fabric Blockchain using V1.4, I am connected through LDAP to my organization's Active Directory and I want to be able to change the roles of my users from my AD.
Basically I need two roles: user and admin, a user can run contracts and an admin can install and upgrade contracts.
So what I'm trying to do its to add a converter in my ldap configuration on fabric-ca-server-config.yaml and a map that changes my "memberOf" AD property to hf.Registrar.Roles like this:
ldap:
url: ldap://CN=USER,DC=ORG1,DC=com:password#ldapserver:389/DC=ORG1,DC=com
userfilter: (userPrincipalName=%s)
attribute:
names: ['userPrincipalName','memberOf']
converters:
- name: hf.Revoker
value: attr("userPrincipalName") =~ "revoker*"
- name: hf.Registrar.Roles
value: map(attr("memberOf"),"roles")
maps:
roles:
- name: CN=BC-CLIENT,DC=ORG1,DC=com
value: client
- name: CN=BC-USER,DC=ORG1,DC=com
value: user
- name: CN=BC-ADMIN,DC=ORG1,DC=com
value: admin
- name: CN=BC-PEER,DC=ORG1,DC=com
value: peer
- name: CN=BC-ORDERER,DC=ORG1,DC=com
value: orderer
So far, so good, I'm able to enroll a user using nodejs like this:
const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);
const enrollment = await ca.enroll({
enrollmentID: adminId,
enrollmentSecret: adminSecret,
});
const identity = X509WalletMixin.createIdentity('Org1MSP', enrollment.certificate, enrollment.key.toBytes());
await wallet.import(adminId, identity);
With this user I can query and invoke contracts but when I try to install a contract I get the following error:
install proposal was bad Error: access denied for [install]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org1MSP]: The identity does not contain OU [ADMIN], MSP: [Org1MSP]],Error: access denied for [install]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org1MSP]: The identity does not contain OU [ADMIN], MSP: [Org1MSP]]
I can see that the mapping its working well in the CA logs, but then I guess hf.Registrar.Roles its not the property that I need.
How can I accomplish this?
Thanks
UPDATE:
I added an OU property to the converters like this:
ldap:
attribute:
converters:
- name: OU
value: map(attr("memberOf"),"roles")
I can see that the conversion its getting done in the CA.
Evaluating expression for attribute 'OU' from LDAP user 'user#company.com'
Values for LDAP attribute 'memberOf' are '[CN=BC-CLIENT,DC=ORG1,DC=com CN=BC-USER,DC=ORG1,DC=com CN=BC-ADMIN,DC=ORG1,DC=com]'
Evaluated expression for attribute 'OU'; parms: map[CN=USER,DC=ORG1,DC=com affiliation:[]]; result: client,admin,user
But I'm still getting the same error, so can't I map ldap attributes to the certificate?
Also here are my NodeOUs
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: orderer
Thanks
SUMMARY
Thanks to Yacov help I found out that the certificate created from LDAP always gets the client OU, and you can't change it, but it also has the OUs from the user from LDAP so you could change the NodeOUs values and map them to your organization's OU, for me that wont work as I can only change the memberOf of my users not the OUs.
Thanks!
The certificate needs to have the OU that defines the admin. Look at the config.yaml in your MSP folder (in the peer - MSPCONFIGPATH) and see what OU defines the administrator.
You can also try to put the certificate that you use in the admincerts folder of the MSP of the peer, it should also make it an admin.
Related
To simulate the MSP and certificate expiry of nodes [orderer & peer], I updated the expiry time to 1h (the default is 8760h which is 1 year in hours) in the fabric-ca-server-config.yaml file. I am not sure, if this is the correct way to do it?
Please feel free to correct me
Hyperledger Fabric v2.3 and Fabric CA v.1.5.0
fabric-ca-server-config.yaml: Org1 - the Org1 Fabric CA server is using this config
signing:
default:
usage:
- digital signature
expiry: 1h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 1h
Right before the expiry time, I successfully (did not get any error) reenrolled the MSP and TLS certs of all using the fabric-ca-client reenroll command along with --csr.keyrequest.reusekey. More info on the command usage can be found here
I checked the logs in all the nodes and the peer nodes were spitting logs as:
2021-07-27 13:51:11.747 UTC [core.comm] ServerHandshake -> ERRO 0e9 Server TLS handshake failed in 1.807206ms with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.26.0.9:49338
Also, I was not able to transact on the network, which is obvious because of the above error. I believe this affects the MSP and TLS certs generated for the organization admin and user as well.
Could anyone be kind enough to shed some lights on the
fabric-ca-server-config.yaml and how to reenroll or re-issue the
certificates so the fabric-network can function normally?
After the certificates are expired already, the reenroll command is giving error - not a valid certificate. The certificate which is referred in the --tls.certfiles flag is the root CA tls certificate. The root tls certificate of the CA should not expire??
setting up the MSP manager failed: administrators must be declared when no admin ou classification is set.
CA Server seems fine. I register and enroll caadmin, orgadmin, ordereradmin. I create the genesis.block with orgadmin. orgadmin has admin in OU. orderer has OU=orderer.
It seems to use the config.yaml, as it gives a WARN on Failed loading ClientOU certificate. (Just a warning and not required, per the docs).
But even though I set the AdminOUIdentifier:
# Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "admin"
and the OrgAdmin has OU=admin in the subject, it errors and says no admin ou is set.
What am I missing?
The OU definition needs to be set like you are doing using config.yaml file. You need to define the OUs for every MSP in your channel, before creating the network. Then you start the network, such that the local MSPs (the MSP configurations of nodes: peers and orderers) also get this config.yaml in their MSP directories respectively.
This way, the NodeOUs will be enabled in the channel and the local MSPs of the nodes will also respect the same configuration.
If the NodeOUs are not set, then while creating the node containers, in the MSP directory that you mount inside the respective nodes, must have an admincerts sub-folder which will contain the certificate issued by the CA of that organization (or at least is a valid certificate in the chain of trust for that organization's MSP).
NOTE: If admincerts have been configured, i.e. the NodeOUs are disabled, then the Hyperledger Fabric network, will recognize only the identity of that organization holding the certificate present in the admincerts directory as the admin of that organization.
I have successfully created a network by generating certificates using Fabric Ca server and Ca client binaries. But i am only able to use following policies in the configtx.yaml.
Readers:
Type: Signature
Rule: "OR('abcMSP.member')"
Writers:
Type: Signature
Rule: "OR('abcMSP.member')"
Admins:
Type: Signature
Rule: "OR('abcMSP.member')"
But i want to use nodeous like below.
Readers:
Type: Signature
Rule: "OR('abcMsp.admin', 'abcMsp.peer', 'abcMsp.client')"
Writers:
Type: Signature
Rule: "OR('abcMsp.admin', 'abcMsp.client')"
Admins:
Type: Signature
Rule: "OR('abcMsp.admin','abcMsp.client')"
Below is what i have added to the msp folder in the config.yaml.
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: "cacerts/ca.pem"
OrganizationalUnitIdentifier: "client"
PeerOUIdentifier:
Certificate: "cacerts/ca.pem"
OrganizationalUnitIdentifier: "peer"
AdminOUIdentifier:
Certificate: "cacerts/ca.pem"
OrganizationalUnitIdentifier: "admin"
Which generate following error raft ordering service server throws.
Failed validating bootstrap block: initializing channelconfig failed: could not create
channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid:
The identity is not valid under this MSP [abcMSP]: could not validate identity's OUs: the
identity must be a client or a peer identity to be valid, not a combination of them. OUs:
Your admin has OU=client and OU=peer at the same time in its certificate (or something similar) when it must have only OU=admin. Take into account that affiliations and departments are also included in the OUs, so I bet you have some affiliation or department called client or peer. If that's the case, change affiliation or department names and redeploy.
And, when registering your admin in the CA, remember to specify type admin, not client:
fabric-ca-client register -d --id.name $ORG_ADMIN --id.secret $ORG_ADMIN_PASSWORD --id.type admin --id.affiliation $ORG_AFFILIATION
EDIT: Looking at your admin certificate, its OUs do not include the required role (you specified type user when registering). Register and enroll your identities suitably: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-client
You have to pass OU as either admin, peer, client or orderer to your certificates while enrolling them with Fabric-CA. Then only the certificate will be valid for doing particular operations using those certificates. Here is an example for generating admin certificate:
fabric-ca-client enroll --caname ca.example.com --csr.names C=SG,ST=Singapore,L=Singapore,O=$ORG_NAME,OU=admin -m admin -u http://admin:adminpw#localhost:$PORT
I run the sample from Hyperledger Fabric for registering Users from a Fabric CA using NodeJS SDK.
The user is successfully registered, however I notice that the Roles, the Affiliation and the enrollmentSecret are all empty eventhough when it is registered, the fabric CA can notice the values of the roles, affiliation and the secret.
After that, when looking at the file hfc_key_store folder for the user, it doesn't record the Role, secret and Affiliation.
Once the user is registerred, how can I retrieve all the information, especially the secret?
Thanks a lot.
The register method returns the secret value:
const secret = await ca.register({
affiliation: 'org1.department1',
enrollmentID: 'user',
enrollmentSecret: 'pas123',
role: 'client'
}, adminIdentity);
In this case, the variable will be equal to "pass123
I get this error when I am starting an orderer.
Failed to initialize local MSP: admin 0 is invalid: could not obtain certification chain: An X509 certificate with Basic Constraint: Certificate Authority equals true cannot be used as an identity
How can I resolve this?
I have the orderer running on a separate node from where I have generated the admin certs.
Possible this means that the admin certs on the orderer are invalid, or doesn't exist. For me it was expected to be in the following folder: [orderer org]/msp/admincerts/cert.pem but was not.
Ensure that admin certs generated for your orderer are correct, whether they are generated by cryptogen or with fabric-ca.