I have a Hyperledger Fabric Blockchain using V1.4, I am connected through LDAP to my organization's Active Directory and I want to be able to change the roles of my users from my AD.
Basically I need two roles: user and admin, a user can run contracts and an admin can install and upgrade contracts.
So what I'm trying to do its to add a converter in my ldap configuration on fabric-ca-server-config.yaml and a map that changes my "memberOf" AD property to hf.Registrar.Roles like this:
ldap: url: ldap://CN=USER,DC=ORG1,DC=com:password@ldapserver:389/DC=ORG1,DC=com userfilter: (userPrincipalName=%s) attribute: names: ['userPrincipalName','memberOf'] converters: - name: hf.Revoker value: attr("userPrincipalName") =~ "revoker*" - name: hf.Registrar.Roles value: map(attr("memberOf"),"roles") maps: roles: - name: CN=BC-CLIENT,DC=ORG1,DC=com value: client - name: CN=BC-USER,DC=ORG1,DC=com value: user - name: CN=BC-ADMIN,DC=ORG1,DC=com value: admin - name: CN=BC-PEER,DC=ORG1,DC=com value: peer - name: CN=BC-ORDERER,DC=ORG1,DC=com value: orderer
So far, so good, I'm able to enroll a user using nodejs like this:
const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);const enrollment = await ca.enroll({ enrollmentID: adminId, enrollmentSecret: adminSecret,});const identity = X509WalletMixin.createIdentity('Org1MSP', enrollment.certificate, enrollment.key.toBytes());await wallet.import(adminId, identity);
With this user I can query and invoke contracts but when I try to install a contract I get the following error:
install proposal was bad Error: access denied for [install]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org1MSP]: The identity does not contain OU [ADMIN], MSP: [Org1MSP]],Error: access denied for [install]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org1MSP]: The identity does not contain OU [ADMIN], MSP: [Org1MSP]]
I can see that the mapping its working well in the CA logs, but then I guess hf.Registrar.Roles its not the property that I need.
How can I accomplish this?
I added an OU property to the converters like this:
ldap: attribute: converters: - name: OU value: map(attr("memberOf"),"roles")
I can see that the conversion its getting done in the CA.
Evaluating expression for attribute 'OU' from LDAP user 'user@company.com'Values for LDAP attribute 'memberOf' are '[CN=BC-CLIENT,DC=ORG1,DC=com CN=BC-USER,DC=ORG1,DC=com CN=BC-ADMIN,DC=ORG1,DC=com]'Evaluated expression for attribute 'OU'; parms: map[CN=USER,DC=ORG1,DC=com affiliation:[]]; result: client,admin,user
But I'm still getting the same error, so can't I map ldap attributes to the certificate?
Also here are my NodeOUs
NodeOUs: Enable: true ClientOUIdentifier: Certificate: cacerts/ca.org1.example.com-cert.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: Certificate: cacerts/ca.org1.example.com-cert.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: Certificate: cacerts/ca.org1.example.com-cert.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: Certificate: cacerts/ca.org1.example.com-cert.pem OrganizationalUnitIdentifier: orderer
Thanks to Yacov help I found out that the certificate created from LDAP always gets the client OU, and you can't change it, but it also has the OUs from the user from LDAP so you could change the NodeOUs values and map them to your organization's OU, for me that wont work as I can only change the memberOf of my users not the OUs.