The registry name portion of the filter

Define the registry name portion of the distributed identity filter using the REGISTRY operand. You can specify the registry name in either of the following ways.

As a single asterisk (X'5C') to indicate that any registry name matches this portion of the filter.
Specify the asterisk when the user is defined with the same name on multiple registries and you want to map all of those identities to the same RACF® user ID.

When you want to map any user identity on any registry, see Adding a default RACMAP filter.
As the name of a registry, such as an LDAP registry.
For users of WebSphere® Application Server applications, the registry name must match the value returned by the WSCredential interface method called getRealmName().

When the user's distributed identity is based on an LDAP registry, specify the registry name as the URL of the LDAP server where the user is defined. The URL is defined with a listen option in the ds.conf configuration file of the LDAP server, or overridden using the -l command-line parameter when the LDAP server is started.

For information about LDAP URLs, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

Examples of registry names:

REGISTRY(NAME('ldaps://us.richradioham.com'))
REGISTRY(NAME('ldap://12.34.56.78:389'))
REGISTRY(NAME('Registry01')) 
REGISTRY(NAME('*'))

For complete syntax details about defining the REGISTRY value using the RACMAP command, see z/OS Security Server RACF Command Language Reference.

The registry name value is stored in the IDIDMAP profile as UTF-8 data. For information about the encoded UTF-8 data in IDIDMAP profiles, see Restrictions for UTF-8 data values.

For details about how RACF matches the distributed user's registry and user name with your specified filter values, see How RACF matches filter values.