Brian Roode
Network and Support Programming
Background
UCInetIDs are name-based authentication identifiers assigned to UCI affiliates. UCInetIDs are currently limited to eight characters. Now that we are providing identity and access management to a wider range of UCI affiliates, e.g. applicants, UCI graduates, and third-party designates, for a longer period of time, the ability to provide a meaningful name-based UCInetID is becoming increasingly more difficult.
The UCInetID that is constructed from a new affiliates first initial, followed by their last name, or first 7 characters of their last name if it is longer than 7 characters, may already be taken.
Our current UCInetID assignment algorithm appends a number to the UCInetID in this case. For example, if there is currently an affiliate named John Smith who has been assigned the UCInetID jsmith, the assignment algorithm will append a number to the UCInetID such that it becomes, for example, jsmith1 unless that UCInetID has also been taken. The number is incremented until an available UCInetID can be generated. Note: if adding the number to the ID causes the ID to be greater than eight characters, the trailing end of the affiliates last name is truncated which produces a UCInetID such as jsmit245 which is less than desirable.
We realize that there are systems that have 8-character limitations including POSIX-compliant operating systems. POSIX limits the maximum login ID length to eight bytes (plus a NULL termination character).
Goals
The primary goal of this project is to increase the length of UCInetIDs beyond the current eight character limit. Our hope is to be able to increase the length to 64 characters which is the maximum length an RFC-822 compliant e-mail address can be. However, due to limitations in deployed software on campus, we may need to lower the maximum length.Issues to Resolve
- Many systems do not (yet) support longer IDs. Eight-characters is the most commonly supported User Name length.
- Longer length UCInetIDs may cause confusion with My.Name e-mail forwarding aliases. For example, UCInetID robertsmith might easily be confused with the My.Name alias of RobertSmith. Even if both identifiers belong to the same person, it's not obvious which to use in a particular application or situation.
- It's not always clear whether to use a persons My.Name alias or their UCInetiD to identify them to software. For example, when authorizing a third-party for access to a particular system or service.
User name lengths at other UC campuses
- UCOP has a maximum of eight character user names.
- UCSC has a maximum of eight character user names.
- UCSF currently supports a maximum of eight characters, but is considering moving to a max of 50 characters.
- UCSB currently supports up to 64 characters.
- UCLA currently supports 6-16 character user names.
Timeline
| When | Status | Project area description |
|---|---|---|
| TBD | Pending | Determine the impact of increasing UCInetID length on campus applications. (See table below) |
| TBD | Pending | Begin issuing longer UCInetIDs to new UCI affiliates. |
Long UserName Compatibility Information
| System | Number of Users | Supports Longer UserNames? | Compatibility Date |
UserName Max | Cost To Increase ID Length | Description of (in)compatibility |
|---|---|---|---|---|---|---|
| AdCom IBM Mainframe (Mobius, FS, PAL) | 2,950 | No | none | 8 | While the IBM Mainframe has been slated for decommissioning, this date is 2-5 years away (2010 -2013). | |
| AdCom Sybase RDBMS | 505 | Yes | n/a | 30 | Administrative Computing uses the Sybase user-authentication feature in some of their applications. | |
| AdCom RSA Secure ID | 75 | Yes | n/a | 48 | RSA SecureID is used by AdCom Services, ... | |
| Solaris 7 through 9 | (132 users AdCom) | No | ... | ? | The login (login) and role (role) fields accept a string of no more than eight bytes consisting of characters from the set of alphabetic characters, numeric characters, period (.), underscore (_), and hyphen (-). The first character should be alphabetic and the field should contain at least one lower case alphabetic character. A warning message is displayed if these restrictions are not met. | |
| MIT Kerberos 5 | 137,720 | Yes | n/a | 1024 | ... | |
| UCI WebAuth | 137,720 | Yes | n/a | 64 | ... | |
| Windows 98 | unknown | No | n/a | 20 | ... | |
| Windows 2000, XP, Vista | unknown | Yes | n/a | 256 | ... | |
| HP-UX 11i on | unknown | Yes | September, 2005 | 255 | The current limit on username / groupname has been enhanced from 8 to 255 bytes. By default HP-UX still has 8 as the limit for usernames / groupnames. With an enabler (lugadmin -e) this limit can be enhanced to 255. Long username / groupname once enabled cannot be disabled in the future. A disable option is not provided due to the impracticality of automatically finding all instances of stable storage that may contain names in excess of the default limits. | |
| EEE | 26,000 | No | 8 | UCInetID is currently a key value in their database tables. Their plan is to move to CampusID for the IdM key value in the future. | ||
| AdCom Notes | At the programming level, potentially *ALL* employees and students are affected because the data columns are fixed at 8-character length at this point. PAL and PPS are using "UCINetID@uci.edu" to send emails and they are restricted to use 8-character UCINetIDs. A lot of mainframe programs will need to be modified to accommodate UCINetID expansion both at locally at UCI and remotely at UCOP. It will take a long time, if possible at all, to modify our programs for the UCINetID expansion. |
