Uploaded image for project: 'Fabric CA'
  1. Fabric CA
  2. FABC-841

Fix Fabric CA Server so that it can establish TLS connection with Open LDAP server on port 389 using starttls

    Details

    • Type: Bug
    • Status: Unverified (View Workflow)
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: fabric-ca-server
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      First, set up an OpenLDAP server

      Then, create instance of fabric-ca-server supplying necessary TLS certificates and keys. Example below:

      ```
      + docker container create --name uber-rca-server --network bridge --env FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server --env FABRIC_CA_SERVER_DEBUG=true --workdir /etc/hyperledger/fabric-ca-server --log-opt max-file=3 --log-opt max-size=10m hyperledger/fabric-ca:1.3.0 fabric-ca-server start --ca.certfile uber-rca.pem --ca.keyfile uber-rca.key --ca.name uber-rca --tls.certfile uber-rca-server.pem --tls.keyfile uber-rca-server.key --tls.enabled --tls.clientauth.type requireandverifyclientcert --tls.clientauth.certfiles uber-ca-chain.pem --ldap.enabled --ldap.url ldap://dn=admin,dc=uber,dc=com:xxx@uber-ldap-server:389/dc=uber,dc=com --ldap.tls.certfiles uber-ca-chain.pem --ldap.tls.client.certfile uber-rca-client.pem --ldap.tls.client.keyfile uber-rca-client.key
      ```




      Now try to enroll a user.

      Observe error below:

      ```
      2019/05/03 19:06:23 [DEBUG] Binding to the LDAP server as admin user cn=admin,dc=uber,dc=com

      2019/05/03 19:06:23 [INFO] 10.0.1.8:37264 POST /enroll 401 23 "Failed to get user: LDAP bind failure as cn=admin,dc=uber,dc=com: LDAP Result Code 13 "Confidentiality Required": confidentiality required"
      ```

      Expected:
      No error. fabric-ca-server should use starttls when it detects that `--ldap.tls.client.certfile` and key have been given
      Show
      First, set up an OpenLDAP server Then, create instance of fabric-ca-server supplying necessary TLS certificates and keys. Example below: ``` + docker container create --name uber-rca-server --network bridge --env FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server --env FABRIC_CA_SERVER_DEBUG=true --workdir /etc/hyperledger/fabric-ca-server --log-opt max-file=3 --log-opt max-size=10m hyperledger/fabric-ca:1.3.0 fabric-ca-server start --ca.certfile uber-rca.pem --ca.keyfile uber-rca.key --ca.name uber-rca --tls.certfile uber-rca-server.pem --tls.keyfile uber-rca-server.key --tls.enabled --tls.clientauth.type requireandverifyclientcert --tls.clientauth.certfiles uber-ca-chain.pem --ldap.enabled --ldap.url ldap://dn=admin,dc=uber,dc=com: xxx@uber-ldap-server :389/dc=uber,dc=com --ldap.tls.certfiles uber-ca-chain.pem --ldap.tls.client.certfile uber-rca-client.pem --ldap.tls.client.keyfile uber-rca-client.key ``` Now try to enroll a user. Observe error below: ``` 2019/05/03 19:06:23 [DEBUG] Binding to the LDAP server as admin user cn=admin,dc=uber,dc=com 2019/05/03 19:06:23 [INFO] 10.0.1.8:37264 POST /enroll 401 23 "Failed to get user: LDAP bind failure as cn=admin,dc=uber,dc=com: LDAP Result Code 13 "Confidentiality Required": confidentiality required" ``` Expected: No error. fabric-ca-server should use starttls when it detects that `--ldap.tls.client.certfile` and key have been given

      Description

      The recommended way to establish TLS connection with an OpenLDAP server is to use StartTLS on port 389 as described here:

      https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

      But Fabric-CA-server does not support this

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              siddjain siddharth jain
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Git Integration