000018706 - How to search external LDAP using X-Parse from the Enrollment Server.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000018706
Applies ToKeon Certificate Authority
Keon Registration Authority
LDAP Server
IssueHow to search external LDAP using X-Parse from the Enrollment Server.
An error XrcSchemaUnknown still occurs even though the instructions in solution How to search external LDAP server using X-Parse? have been followed.  This only occurs when the lookup is run from the enrollment server.
ResolutionEnrollment server only have limited access to the database, all of this is defined in the LDAP ACL rules.  LDAP ACLs govern who has what level of access to the information that the Secure Directory Server serves.  If you go to your LDAP ACLs, it uses the server cert's MD5 to specify the servers (e.g. Admin server, Enrollment server, SCEP server, etc...).  To know what's your Enrollment server's MD5, scroll down the LDAP Access Control Rules text box until you locate a rule:

access to dn="dn=request_queue"

The second MD5 listed in this rule is the MD5 of the Enrollment Server, the first MD5 is the Admin Server.

To be able to search external LDAP from the Enrollment Server, add an LDAP access rule that allows read access to the 'top' objectclass.

Note: incorrect changes to the LDAP access control rules can cripple Sentry CA or make it insecure.  The order for ACL rules also matters.
Legacy Article IDa8358