Maximum lengths for names by user registry
The maximum lengths of various names associated with ISAM vary depending on the user registry in the environment. Table 1 shows the maximum lengths allowed for each user registry supported by ISAM. Maintaining these maximum lengths ensures compatibility.
Name IBM Security Directory Server IBM z/OS Security Server Novell eDirectory Server Sun Java™ System Directory Server Microsoft Active Directory Server Active Directory Lightweight Directory Service (ADLDS) Optimal length First name (LDAP CN) 256 256 64 256 64 64 64 Middle name 128 128 128 128 64 64 64 Last name (surname) 128 128 128 128 64 64 64 Registry UID (LDAP DN) 1024 1024 1024 1024 2048 1024 255 Security Verify Access user identity 256 256 256 256 64 64 64 User password unlimited unlimited unlimited unlimited 256 128 256 User description 1024 1024 1024 1024 1024 1024 1024 Group name 256 256 256 256 64 64 64 Group description 1024 1024 1024 1024 1024 1024 1024 Single sign-on resource name 240 240 240 240 60 240 60 Single sign-on resource description 1024 1024 1024 1024 1024 1024 1024 Single sign-on user ID 240 240 240 240 60 240 60 Single sign-on password unlimited unlimited unlimited unlimited 256 unlimited 256 Single sign-on group name 240 240 240 240 60 240 60 Single sign-on group description 1024 1024 1024 1024 1024 1024 1024 Action name 1 1 1 1 1 1 1 Action description, action type unlimited unlimited unlimited unlimited unlimited unlimited unlimited Object name, object description unlimited unlimited unlimited unlimited unlimited unlimited unlimited Object space name, object space description unlimited unlimited unlimited unlimited unlimited unlimited unlimited ACL name, ACL descriptions unlimited unlimited unlimited unlimited unlimited unlimited unlimited POP name, POP description unlimited unlimited unlimited unlimited unlimited unlimited unlimited
Although the maximum length of an Active Directory distinguished name (registry UID) is 2048, the maximum length of each relative distinguished name (RDN) is 64.
If we configure IBM Security Verify Access to use multiple Active Directory domains, the maximum length of the user identity and group name does not include the domain suffix. When We use multiple domains, the format of a user identity is user_id@domain_suffix. The maximum length of 64 applies only to the user_id portion. If We use an email address or other alternative format for the ISAM user identity in the Active Directory, the maximum name length remains the same, but includes the suffix.
Although the lengths of some names can be of unlimited, excessive lengths can result in policy that is difficult to manage and might result in poor system performance. Choose maximum values that are logical for the environment.
Parent topic: User registry server installation