Magic numbers in UCS & UCS@school


When planning a project, it is good to know restrictions due to fixed values. Here is a list of the known numerical restrictions.



  • 1 Primary DC per Domain: Of course there is only one Primary Directory Node possible, who has exclusive write access to LDAP. (Reference)
  • 8 hours for the login: SSO Logins are valid for a working day. (Reference)
  • 8 hours for the login: Kerberos Ticket are valid for a working day. (Reference)
  • 13 characters for Windows computer names: This is a limitation of Microsoft Windows. (Reference)
  • 20 univentionFreeAttributes: You can easily extend LDAP with extra values without adding an own Schema. (Reference)
  • 3600 seconds default token validity for umc/self-service/passwordreset/token_validity_period (hint: other limits exist at umc/self-service/passwordreset/limit/*


  • Host names of school servers must not have more than 12 characters or there will be problems with Windows clients. (Reference)
  • User names must not exceed 20 characters or there will be problems with Windows clients. For the exam mode this is further reduced by 5 characters for the exam- user name prefix. So we end up with a maximum user name length of 15 characters. (Reference)


  • id-broker-plugin has a max username length for kelvin API of 50 characters


If you’re not sure whether the recommendations will fit into your scenario, please ask your Professional Services contact person, or create a new topic referencing this article.