Overview [1] [2] [3]#
A Best Practices Gathered from years of experience and other knowledgeable sources. There are of course, exceptions.However, anyone who has followed these "Principles" (I doubt) has ever regretted it.
- Unique Identifiers SHOULD be unique.
- Unique Identifiers SHOULD be a Lifetime identifier.
- Unique Identifiers SHOULD be issued from a central authority.
- Unique Identifiers SHOULD stored in all relevant systems/data bases.
- Unique Identifiers SHOULD never be re-issued.
- Unique Identifiers SHOULD be assigned to all entities.
In addition to the above, I would strongly recommend that the Unique Identifier be used for the naming attribute. If the Unique Identifier persists for the lifetime of the Entity, then there are the following advantages:
- No rename of entries should be encountered.
- Auditing trails are easier to follow.
In tree of any size, looking for jdoe0001 or jdoe0002 will be done by performing a search.
Things to Think About#
- Security
- User Experience
- Administration
- Auditing
Avoid Use of Personal data or Private data in Unique Identifiers#
The use of any Personal data in Unique Identifiers SHOULD be avoided. The United States Privacy Act of 1974, the Family Educational Rights and Privacy Act (FERPA) and many State statutes regulate the collection, use, and dissemination of Privacy data information.The Best Practice is suggested that an arbitrary Unique Identifier SHOULD be created for each Entity (or LDAP Entry) and this identifier should provide anonymity for the entity.
Best Practices For LDAP Naming Attributes#
Some ideas on Best Practices For LDAP Naming AttributesAmbiguous Naming Resolution Algorithm#
Ambiguous Naming Resolution Algorithm may make it easier to locate the proper identity.Unique Value Finder#
We wrote a tool to generate Unique Identifiers.Used for Login#
If the Unique Identifier must be used for Authentication (ie UserId) the length and complexity becomes important.Most Users will have trouble remembering UserIds longer than 8 characters. Of course after a few hundred uses up to 10 characters is usually not an issue for this Human Limitation
Using UUIDs for UserId generally will not work due to the complexity.
Some Examples#
B003281 was an Unique Identifier that was implemented in a large Organizational EntityIt just so happen this particular Organizational Entity merged with another Organizational Entity which all their Unique Identifiers started with an "A". So from the Unique Identifiers perspective there were not collisions.
B003281 can handle 999,999 entities and it would be relatively easy to move to A000001 and get another 999,999 entities
If you allow any to be alpha-numeric, then we have 36 possible values for each character which is (26+10)^6 = 2,176,782,336
if we use up to
| Characters | Example | Math | Number of |
|---|---|---|---|
| 6 | B003281 | (26+10)^6 | 2,176,782,336 |
| 8 | B00003281 | (26+10)^8 | 2,821,109,907,456 |
More Information#
There might be more information for this subject on one of the following:- Ambiguous Naming Resolution Algorithm
- B003281
- Best Practices For LDAP Naming Attributes
- Best Practices for LDAP Security
- I-number
- LDAP
- People And Things Every IDM Person Should Know
- Unique Value Finder
- Which Jane Doe
- [#1] - Identifiers Best Practices
- based on information obtained 2013-04-27
- [#2] - Findley's "LDAP Best Practices" paper, section 3.5 - based on information obtained 2013-04-27
- [#3] - Why Your Organization Needs an Enterprise-Wide Account Username Convention - based on information obtained 2017-10-04