When we enable AD trusts we can start releasing tickets with MS-PAC authorization data attached. An MS-PAC can be quite large depending on how many groups the user is a member of.
This data is transmitted in Headers to apache during negotiate auth, and HTTPD has a quite low limit on the size of the header. The allowed size is defined by LimitRequestFieldSize and default is usually around 4k.
This is not enough for the largest PACs, we should support up to 64KiB PACs for now. Also headers are base64 encoded.
I experimentally verified that for a PAC that is slightly smaller than 64KiB we need between 80000 and 90000 bytes allowed, so to be safe we should probably set LimitRequestFieldSize 100000 in /etc/httpd/conf.d/ipa.conf
Hard to test this without a large PAC but one can do the reverse and set the value very small and see if tail. And make sure all unit tests are passing with it so huge.
attachment freeipa-rcrit-1026-requestlimit.patch
master: e94733f
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @simo: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.