Subject: | Policy extensions in 1.11 break iprop dump compatibility |
Ticket 7223 (commit 5829ca2b348974e52a67b553afc7f7491007c33a) extends
password policy objects to include allowed_keysalts and some other
fields we might use in the future. It adds a new r1_11_version dump
version, but simply edits the ipropx_version structure to use the new
policy functions.
As a result, with an updated slave and a new master, ipropx full
dumps fail, because the master generates dump files using the 1.8
policy format and the slave tries to interpret them using the 1.11
format. Compatibility in the other direction (new master, old slave)
is probably also broken; although the pre-1.11 process_r1_8_policy()
function claims to ignore additional values on the line, it does not
appear to do so.
By contrast, when the policy structure was extended in 1.8, a second
version of the iprop dump format was added, so no iprop compatibility
issue was created. The method by which this was done is a little
confusing (the new format has the tag "ipropx" with a sub-version,
when it seems that simply adding an "iprop2" tag would be just as
good).
Here is a report of the issue:
http://mailman.mit.edu/pipermail/kerberos/2015-June/020869.html
password policy objects to include allowed_keysalts and some other
fields we might use in the future. It adds a new r1_11_version dump
version, but simply edits the ipropx_version structure to use the new
policy functions.
As a result, with an updated slave and a new master, ipropx full
dumps fail, because the master generates dump files using the 1.8
policy format and the slave tries to interpret them using the 1.11
format. Compatibility in the other direction (new master, old slave)
is probably also broken; although the pre-1.11 process_r1_8_policy()
function claims to ignore additional values on the line, it does not
appear to do so.
By contrast, when the policy structure was extended in 1.8, a second
version of the iprop dump format was added, so no iprop compatibility
issue was created. The method by which this was done is a little
confusing (the new format has the tag "ipropx" with a sub-version,
when it seems that simply adding an "iprop2" tag would be just as
good).
Here is a report of the issue:
http://mailman.mit.edu/pipermail/kerberos/2015-June/020869.html