Uploaded image for project: 'Fabric CA'
  1. Fabric CA
  2. FABC-841

Fix Fabric CA Server so that it can establish TLS connection with Open LDAP server on port 389 using starttls

    Details

    • Type: Bug
    • Status: Unverified (View Workflow)
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: fabric-ca-server
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      First, set up an OpenLDAP server

      Then, create instance of fabric-ca-server supplying necessary TLS certificates and keys. Example below:

      ```
      + docker container create --name uber-rca-server --network bridge --env FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server --env FABRIC_CA_SERVER_DEBUG=true --workdir /etc/hyperledger/fabric-ca-server --log-opt max-file=3 --log-opt max-size=10m hyperledger/fabric-ca:1.3.0 fabric-ca-server start --ca.certfile uber-rca.pem --ca.keyfile uber-rca.key --ca.name uber-rca --tls.certfile uber-rca-server.pem --tls.keyfile uber-rca-server.key --tls.enabled --tls.clientauth.type requireandverifyclientcert --tls.clientauth.certfiles uber-ca-chain.pem --ldap.enabled --ldap.url ldap://dn=admin,dc=uber,dc=com:xxx@uber-ldap-server:389/dc=uber,dc=com --ldap.tls.certfiles uber-ca-chain.pem --ldap.tls.client.certfile uber-rca-client.pem --ldap.tls.client.keyfile uber-rca-client.key
      ```




      Now try to enroll a user.

      Observe error below:

      ```
      2019/05/03 19:06:23 [DEBUG] Binding to the LDAP server as admin user cn=admin,dc=uber,dc=com

      2019/05/03 19:06:23 [INFO] 10.0.1.8:37264 POST /enroll 401 23 "Failed to get user: LDAP bind failure as cn=admin,dc=uber,dc=com: LDAP Result Code 13 "Confidentiality Required": confidentiality required"
      ```

      Expected:
      No error. fabric-ca-server should use starttls when it detects that `--ldap.tls.client.certfile` and key have been given
      Show
      First, set up an OpenLDAP server Then, create instance of fabric-ca-server supplying necessary TLS certificates and keys. Example below: ``` + docker container create --name uber-rca-server --network bridge --env FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server --env FABRIC_CA_SERVER_DEBUG=true --workdir /etc/hyperledger/fabric-ca-server --log-opt max-file=3 --log-opt max-size=10m hyperledger/fabric-ca:1.3.0 fabric-ca-server start --ca.certfile uber-rca.pem --ca.keyfile uber-rca.key --ca.name uber-rca --tls.certfile uber-rca-server.pem --tls.keyfile uber-rca-server.key --tls.enabled --tls.clientauth.type requireandverifyclientcert --tls.clientauth.certfiles uber-ca-chain.pem --ldap.enabled --ldap.url ldap://dn=admin,dc=uber,dc=com: xxx@uber-ldap-server :389/dc=uber,dc=com --ldap.tls.certfiles uber-ca-chain.pem --ldap.tls.client.certfile uber-rca-client.pem --ldap.tls.client.keyfile uber-rca-client.key ``` Now try to enroll a user. Observe error below: ``` 2019/05/03 19:06:23 [DEBUG] Binding to the LDAP server as admin user cn=admin,dc=uber,dc=com 2019/05/03 19:06:23 [INFO] 10.0.1.8:37264 POST /enroll 401 23 "Failed to get user: LDAP bind failure as cn=admin,dc=uber,dc=com: LDAP Result Code 13 "Confidentiality Required": confidentiality required" ``` Expected: No error. fabric-ca-server should use starttls when it detects that `--ldap.tls.client.certfile` and key have been given

      Description

      The recommended way to establish TLS connection with an OpenLDAP server is to use StartTLS on port 389 as described here:

      https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

      But Fabric-CA-server does not support this

        Attachments

          Activity

            Toggl

            Enter your Toggl API token
            Mark as billable
            Apply JIRA issue labels


            {{ currentTimer.description|limitTo:35 }}...
            {{hours}} hour{{hoursS}}, {{minutes}} minute{{minutesS}}, {{seconds}} second{{secondsS}}

              People

              • Assignee:
                Unassigned
                Reporter:
                siddjain siddharth jain
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Git Source Code