hyperledger / fabric-ca

https://wiki.hyperledger.org/display/fabric
Apache License 2.0
441 stars 712 forks source link

When using LDAP to provide the certificates, users are always set to type "client" #378

Open sophiebella28 opened 1 year ago

sophiebella28 commented 1 year ago

I have recently been trying to configure a connection between the LDAP server that we use for storing user credentials and the fabric-ca server. In our configuration, we are using NodeOUs to determine user permissions - when not using LDAP, and registering with the ca directly, we set this using the -type flag set to one of admin, peer, client or orderer. However, it seems that when using LDAP configuration, the user is always set to a default of type client, which cannot be changed through any LDAP attributes or API calls.

This makes the LDAP configuration with the ca unusable if you want to have any sort of policies set up requiring type admin/peer/orderer, as the certificate always identifies it as type client. Here is a link to a stackoverflow post where they had the same issue, for added context on the issue - https://stackoverflow.com/questions/63834220/set-admin-role-for-an-ldap-user-in-hyperledger-fabric-ca.

I'm pretty sure that this can easily be fixed by just editing the file fabric-ca/lib/server/ldap/client.go, specifically the getType function on line 342 - just adding an attribute lookup in LDAP for an attribute Type or something similar, and then if that value exists return it, otherwise still defaulting to client.

If there is a way to set the type of a user when getting the details from LDAP, please let me know!