3.3 Tracking Entrust DN changes
You can use the Track Entrust distinguished name changes option on the LDAP tab of the Operation Settings workflow to control whether DN changes are sent to Entrust. This option is set to No by default; you must switch it to Yes if you want MyID to update Entrust with DN changes.
When you switch this option on, the following occur:
- Updating the user DN using the Edit Person workflow or through LDAP synchronization causes the DN in Entrust to be changed to the new value.
- Certificates remain associated with the MyID user account.
- Certificates issued to the previous DN can still be revoked, suspended, or unsuspended through MyID.
- Archived certificates issued to the previous DN can still be recovered through MyID.
Note: This feature does not work with PIV Distinguished Names (modified using the PIV applicant editing screens); the PIV DN is a separate attribute from the standard DN in MyID.
3.3.1 Known issues
-
IKB-246 – Additional identities will not work when tracking Entrust DN changes
If you use MyID to issue additional identity certificates to a user, and have configured MyID to track Entrust DN changes, the additional identity certificates held in Entrust will not be affected when you update the DN. This is because the DN associated to the certificate is different to the primary DN of the user account in MyID.