Known limitations

A relationship expression that matches a lot of related objects might cause a very large LDAP filter to be generated.

In some instances the generated filter might be larger than the maximum length allowed by the directory server.

Be sure to create filters that are specific enough to return the entity that you intend to target.

For example, for the following relationship filter:

(${account.eraccountstatus}=0)

This filter performs an account search .

(eraccountstatus=0)

From this search result, internally a new filter is generated based on the account owner attribute. The internally generated filter will be in the following format:

(|(erglobalid=5423170071729299999)(erglobalid=2448879856996666666)(erglobalid=3606444774688888888).....)

where the erglobalid values are taken from the matching account owners. An LDAP search with this filter is then executed.

If approximately more than 128 different account owners are found, then the internally generated filter exceeds the 4K LDAP filter size. This filter size is the limit set by IBM® Security Directory Server 6.4 and the expression will not work.