Length of names
The maximum lengths of various names associated with ISAM vary depending on the user registry being used. See Table 1 for a comparison of the maximum lengths allowed and the recommended maximum length to use to ensure compatibility with all the user registries supported by ISAM.
Name IBM Security Directory Server IBM z/OS Security Server Novell eDirectory Server Sun Java™ System Directory Server Microsoft Active Directory Server Active Directory Lightweight Directory Service (AD LDS)
Optimum length Given name (LDAP CN) 256 256 64 256 64 64 64 Middle name 128 128 128 128 64 64 64 Family name 128 128 128 128 64 64 64 Registry UID (LDAP DN) 1024 1024 1024 1024 2048 1024 255 Security Verify Access user identity 256 256 256 256 64 64 64 User password unlimited unlimited unlimited unlimited 256 128 256 User description 1024 1024 1024 1024 1024 1024 1024 Group name 256 256 256 256 64 64 64 Group description 1024 1024 1024 1024 1024 1024 1024 Single sign-on resource name 240 240 240 240 60 240 60 Single sign-on resource description 1024 1024 1024 1024 1024 1024 1024 Single sign-on user ID 240 240 240 240 60 240 60 Single sign-on password unlimited unlimited unlimited unlimited 256 unlimited 256 Single sign-on group name 240 240 240 240 60 240 60 Single sign-on group description 1024 1024 1024 1024 1024 1024 1024 Action name 1 1 1 1 1 1 1 Action description, action type unlimited unlimited unlimited unlimited unlimited unlimited unlimited Object name, object description unlimited unlimited unlimited unlimited unlimited unlimited unlimited Object space name, object space description unlimited unlimited unlimited unlimited unlimited unlimited unlimited ACL name, ACL descriptions unlimited unlimited unlimited unlimited unlimited unlimited unlimited POP name, POP description unlimited unlimited unlimited unlimited unlimited unlimited
Although the maximum length of an Active Directory distinguished name (registry UID) is 2048, the maximum length of each relative distinguished name (RDN) is 64.
If we configure IBM Security Verify Access to use multiple Active Directory domains, the maximum length of the user identity and group name does not include the domain suffix. When using multiple domains, the format of a user identity is user_id@domain_suffix. The maximum length of 64 characters applies only to the user_id portion. When using an email address or other format for the ISAM user identity in the Active Directory, then the maximum name length remains the same but it includes the suffix.
Although the lengths of some names can be unlimited, the excessive lengths can result in a policy that is difficult to manage and might result in poor system performance. Choose maximum values that are logical for the environment.
Parent topic: User registry differences