Hyperledger Fabric with LDAP integration — part 1
Hyperledger Fabric CA is Certified Authority which provides functionalities like registration of identities, issuance of Enrollment Certificates or certificates renewal or revocation.
Fabric CA can use LDAP as the user registry and i would like to dive into that concept more and provide manual for integrating both of them.
In below examples I will use Fabric CA client to interact with server (other option could be usage of one of Fabric`s SDKs). Below examples are based on Hyperledger Fabric 1.2.0.
Prerequisites
All the examples are prepared for Ubuntu os, so before moving forward please execute below commands:
sudo apt-get update
sudo apt install docker.io
sudo apt-get install docker-compose
curl -sSL http://bit.ly/2ysbOFE | bash -s 1.2.0
export PATH=<path to download location>/bin:$PATH
The above commands will install docker-compose and also download Hyperledger Fabric binaries which will be then added to the path.
The last step is to download repository with examples: https://github.com/alek-sobol/hyperledgerfabric-tutorial
Hyperledger Fabric CA with build in database
If LDAP is not configured, then it’s DBs responsibility to keep track of identities and certificates. Let’s look into simple example how it works.
In order to run example, navigate to ca-db directory from the repository and start Fabric CA:
docker-compose up -d
Then connect to Fabric CA:
docker exec -it fabric-ca-server bash
Enroll admin:
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
And then you can register a new one:
fabric-ca-client register — id.name test_user — id.type user
Now, we can check if registered users are stored in db. By default Fabric CA use sqlite as database, so the next steps are to install sqlite:
apt-get update
apt-get install sqlite3
Once done, navigate to /etc/hyperledger/fabric-ca-server and execute:
sqlite3 fabric-ca-server.db
Now you are connected to the CA database. As you can see, all user details are stored there (table users), you can also find certificate details in certificate table.
Hyperledger Fabric CA with LDAP
Next step is related to ca-ldap directory in repository
According to HF documentation, Fabric CA and LDAP do the following:
- authenticate an identity prior to enrollment
- retrieve an identity attribute values which are used for authorization
We will focus on the first functionality, while the second one will be described with details in next article.
LDAP configuration
For the purpose of that this article, i created LDAP server locally. Installation guide can be found here: https://help.ubuntu.com/lts/serverguide/openldap-server.html.en
LDAP structure:
Fabric CA configuration
In order to make LDAP an CA working together, fabric server has to be properly configured. There is a default configuration file named fabric-ca-server-config.yaml that is placed in /et/hyperledger/fabric-ca location in docker container. That file has to be replaced with the new one that includes needed modifications. There are a few ways to do it. I decided to move it using volumes in docker-compose file.
Please look into fabric-ca-server/fabric-ca-server-config.yaml file. There is an LDAP section which has to be properly configured.
The first step is to enable ldap:
ldap:
enabled: true
Then connection path should be set:
url: <scheme>://<adminDN>:<adminPassword>@<host>:<port>/<base>
In my case it looks like this:
url: ldap://cn=admin,dc=mydomain,dc=example,dc=com:admin_entry_password@localhost:389/dc=mydomain,dc=example,dc=com
Let’s look into some parts of connection url:
- adminDN — distinguished name of the admin user, in my case it’s: cn=admin,dc=mydomain,dc=example,dc=com
- base — the optional root of the LDAP tree to use for searches, in my case that will be: dc=mydomain,dc=example,dc=com
There is one more property that needs to be set up:
- userfilter: (cn=%s) — defines the way of looking up identity to authorize. In such case, users with cn in their DN will be looked up in base tree.
Since we know all of configuration details, we can finally enroll the user:
fabric-ca-client enroll -u http://admin:my_secret_password@localhost:7054
There will be no user data in users table this time since all of them are kept in LDAP server. With no suprise, that user registration via Fabric CA will not work anymore.
What’s next ?
In the second part of that article i will describe in more details how the conversion between Fabric CA and LDAP attributes works and also I will also dive int process of looking up LDAP users. You can find it here
References
https://hyperledger-fabric.readthedocs.io/en/release-1.2/install.html
https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-server
https://help.ubuntu.com/lts/serverguide/openldap-server.html.en