This is a "corner case", was not designed for this use case, but there is a need for more validity check on agent's LDAP certificate record during authorization for various operations, example with inconsistent issuance and revocation:

Scenario:
- 2 CA instances in same security domain, "rootca1" and "subca1"
- the 2 CAs have different serial number issued/ranges so that "rootca1" has less LDAP certificate records than "subca1"
- an agent certificate is issued by "subca1", user called subca1agentuser1
tail /var/log/pki/subca1/ca/transactions
0.http-bio-8443-exec-3 - [28/Apr/2019:18:04:20 UTC] [20] [1] enrollment reqID 1030 fromAgent userID: caadmin authenticated by certUserDBAuthMgr is completed DN requested: UID=subca1useragent1 cert issued serial number: 0x402 time: 63

• the agent user called subca1agentuser1 is added and trusted in rootca1
  export nssdir=~/.dogtag/rootca1
  pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n "PKI Administrator for example.test" ca-user-add subca1agentuser1 --fullName "subca1 Agent User 1"
  pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n "PKI Administrator for example.test" ca-group-member-add "Certificate Manager Agents" subca1agentuser1
  pki -U https://ca1.example.test:7443/ca -n caadmin -c password ca-user-cert-add subca1agentuser1 --input /home/subca1useragent1/subca1useragent1.0x402.crt

• check, there is a "subca1agentuser1" user entry in "rootca1"
  ldapsearch -LLLx -D "cn=directory manager" -w password -b uid=subca1agentuser1,ou=People,o=rootca1-CA
  dn: uid=subca1agentuser1,ou=people,o=rootca1-CA
  ...
  userCertificate:: MIIDazCCAlOgAwIBAgICBAIwDQYJKoZIhvcNAQELBQAwRDEUMBIGA1UECgwL
  ...

• check, "expected" non existent LDAP entry in "rootca1", for the corner case to test:
  ldapsearch -LLLx -D "cn=directory manager" -w password -b "cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA"
  No such object (32)
  Matched DN: ou=certificateRepository,ou=ca,o=rootca1-CA

• test 1 on rootca1 - agent subca1agentuser1 successfully issue a user certificate

note the LDAP error 32 / no such object during authorization, on the entry
cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA
and the continuing issuance process.

details, see attachment "test1"

• test 2 on rootca1 - the same agent subca1agentuser1 fails to revoke the user certificate that was just issued, with a confusing error message:

the error message "PKIException: Record not found" is confusing because it does not apply to the certificate I tried to revoke, it seem to apply to the agent cert LDAP record, cn=1026,ou=certificateRepository,ou=ca,o=rootca1-CA , that do not exist on "rootca1" in this scenario,

pki -U https://ca1.example.test:7443/ca -d ${nssdir} -C ${nssdir}/pwdfile.txt -n subca1useragent1 ca-cert-hold 0xc
Placing certificate on-hold:
Serial Number: 0xc
Subject DN: UID=rootca1user1
Issuer DN: CN=CA Signing Certificate,OU=rootca1,O=Root CA Example Corp 7
Status: VALID
Not Valid Before: Sun Apr 28 18:39:26 UTC 2019
Not Valid After: Fri Oct 25 18:39:26 UTC 2019
Are you sure (Y/N)? y
PKIException: Record not found

==> /var/log/pki/rootca1/localhost_access_log.2019-04-28.txt <==
192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:41 +0000] "GET /ca/rest/account/login HTTP/1.1" 200 203
192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:41 +0000] "GET /ca/rest/agent/certs/12 HTTP/1.1" 200 9450
192.168.122.66 - subca1agentuser1 [28/Apr/2019:18:52:45 +0000] "POST /ca/rest/agent/certs/12/revoke HTTP/1.1" 500 209

details, see attachment "test2"