|Applies To||Keon Certificate Authority|
Keon Registration Authority
|Issue||How to search external LDAP using X-Parse from the Enrollment Server.|
An error XrcSchemaUnknown still occurs even though the instructions in solution How to search external LDAP server using X-Parse? have been followed. This only occurs when the lookup is run from the enrollment server.
|Resolution||Enrollment server only have limited access to the database, all of this is defined in the LDAP ACL rules. LDAP ACLs govern who has what level of access to the information that the Secure Directory Server serves. If you go to your LDAP ACLs, it uses the server cert's MD5 to specify the servers (e.g. Admin server, Enrollment server, SCEP server, etc...). To know what's your Enrollment server's MD5, scroll down the LDAP Access Control Rules text box until you locate a rule:|
access to dn="dn=request_queue"
The second MD5 listed in this rule is the MD5 of the Enrollment Server, the first MD5 is the Admin Server.
To be able to search external LDAP from the Enrollment Server, add an LDAP access rule that allows read access to the 'top' objectclass.
Note: incorrect changes to the LDAP access control rules can cripple Sentry CA or make it insecure. The order for ACL rules also matters.
|Legacy Article ID||a8358|