*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.164.2.2 2009/06/25 11:30:12 mha Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.164.2.3 2009/10/14 07:27:44 heikki Exp $
*
*-------------------------------------------------------------------------
*/
static int CheckLDAPAuth(Port *port);
#endif
+/*
+ * Maximum size of GSS and SSPI authentication tokens.
+ *
+ * Kerberos tickets are usually quite small, but the TGTs issued by Windows
+ * domain controllers include an authorization field known as the Privilege
+ * Attribute Certificate (PAC), which contains the user's Windows permissions
+ * (group memberships etc.). The PAC is copied into all tickets obtained on
+ * the basis of this TGT (even those issued by Unix realms which the Windows
+ * realm trusts), and can be several kB in size. The maximum token size
+ * accepted by Windows systems is determined by the MaxAuthToken Windows
+ * registry setting. Microsoft recommends that it is not set higher than
+ * 65535 bytes, so that seems like a reasonable limit for us as well.
+ */
+#define MAX_AUTH_TOKEN_LENGTH 65535
#ifdef KRB5
/*----------------------------------------------------------------
/* Get the actual GSS token */
initStringInfo(&buf);
- if (pq_getmessage(&buf, 2000))
+ if (pq_getmessage(&buf, MAX_AUTH_TOKEN_LENGTH))
{
/* EOF - pq_getmessage already logged error */
pfree(buf.data);
/* Get the actual SSPI token */
initStringInfo(&buf);
- if (pq_getmessage(&buf, 2000))
+ if (pq_getmessage(&buf, MAX_AUTH_TOKEN_LENGTH))
{
/* EOF - pq_getmessage already logged error */
pfree(buf.data);
projects / postgresql / commitdiff