Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual page 527

Configuring Authentication for End-User Enrollment
The above mentioned process works smoothly if a Certificate Manager or
Registration Manager is configured to use the master directory for authenticating
users. The process may not work smoothly in deployment scenarios that involve
replicated directories. In these scenarios, you need to use the Attribute Present
Constraints policy to verify that the PIN has been removed from the directory.
Here's an example of such a scenario:
A Registration Manager acts as an enrollment authority, passing authenticated
certificate requests to a Certificate Manager; the users have no direct interaction
with the Certificate Manager. The Certificate Manager (CA) and the master
corporate directory are behind the firewall. The Registration Manager and a replica
of the corporate directory are outside the firewall. The Certificate Manager is
configured to communicate with the master corporate directory. The Registration
Manager has read-only permission to the replicated corporate directory and it uses
the directory for authenticating end entities. Both the Certificate Manager and
Registration Manager are configured for password and PIN-based enrollment with
the PIN removal feature turned on. The master corporate directory is configured to
update its replica (outside the firewall) every 10 minutes.
When a user enrolls for a certificate using the End Entity Services interface of the
Registration Manager, it authenticates the user against the replica of the corporate
directory. If the user presents a valid user ID, password, and PIN, the Registration
Manager authenticates the user successfully and forwards the request to the
Certificate Manager. As the Registration Manager is configured for PIN-based
enrollment with PIN removal, it attempts to remove the PIN from the replicated
directory, but it can't as it has no write permission to the replicated directory; the
PIN is still around.
When the Certificate Manager processes the request forwarded by the Registration
module, which in turn removes the PIN
Manager, it calls the
PinRemovalListener
from the master corporate directory when the Certificate Manager issues the
certificate. (The Certificate Manager sends the certificate to the Registration
Manager, which in turn sends it to the user.)
Although the Certificate Manager has removed the PIN from the master directory,
the replicated directory still has the PIN, because the update hasn't occurred. In the
meantime, the user may enroll again successfully (from the Registration Manager)
for another certificate and receive it from the Certificate Manager.
The Attribute Present Constraints policy enables you to prevent users from
successfully enrolling for multiple certificates from the Registration Manager
during the time interval between directory updates. If you configure the Certificate
Manager to use this policy to check the master directory for PINs before issuing
Chapter 15 Setting Up End-User Authentication 527