配置LDAP
可以配置Fabric CA服务器从LDAP服务器实现以下功能:
- 在证书登记之前验证一个身份
- 在授权之前获取一个身份的属性信息
修改Fabric CA服务器配置文件中的LDAP段,以便连接到LDAP服务器:
ldap:
# Enables or disables the LDAP client (default: false)
enabled: false
# The URL of the LDAP server
url: <scheme>://<adminDN>:<adminPassword>@<host>:<port>/<base>
userfilter: <filter>
attribute:
# 'names' is an array of strings that identify the specific attributes
# which are requested from the LDAP server.
names: <LDAPAttrs>
# The 'converters' section is used to convert LDAP attribute values
# to fabric CA attribute values.
#
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
#
# As another example, assume a user has an LDAP attribute named
# 'member' which has multiple values of "dn1", "dn2", and "dn3".
# Further assume the following configuration.
# converters:
# - name: myAttr
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: orderer
# - name: dn2
# value: peer
# The value of the user's 'myAttr' attribute is then computed to be
# "orderer,peer,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "orderer" and "dn2" with "peer".
converters:
- name: <fcaAttrName>
value: <fcaExpr>
maps:
<mapName>:
- name: <from>
value: <to>
其中:
- scheme:可选ldap或ldaps
- adminDN:管理用户的唯一标识名
- pass:管理用户的密码
- host:LDAP服务器的主机名或IP地址
- port:LDAP服务器的端口号,默认值为ldap的389,ldaps的636,可选
- base:LDAP树根,用于搜索,可选
- filter:用户将登录用户名转换为唯一标识名的过滤器
- LDAPAttrs:LDAP属性名数组