On Mon, 19 Dec 2011, Craig T wrote:

> Thanks for that, I will try it again tomorrow.
> Just curious, but I'm getting the impression that when we do finally 
> go live with IPA v2.x. It will take some monitoring to ensure that 
> clients are always compatible?
> I imagine that when Fedora 18 comes out, my "now" current IPA Server 
> my have issues with that ipa-client? Are Redhat planning to make 
> this backward and forward compatible? I only ask because at this 
> stage we don't have a SOE for our LAN.
The change between 2.1.3 and 2.1.4 is a pro-active fix of potential 
cross-site request forgery tracked with CVE-2011-3636. Unfortunately, 
it required change of the communication protocol details which made 
old clients incompatible. You may read more details in Simo's mail on 
December 6th, sent to freeipa-devel@ and freeipa-users@: 

We have released updates to F15, F16, F17 (as 2.1.4), and various 
versions of RHEL5/RHEL6 (as a patch on top of 2.1.3), but on Fedora 16 
side critpath was blocked due to some issues with glibc packages which 
created a delay in package flows for more than two weeks.

There are no protocol changes planned for IPAv2 anymore. In the scope 
of IPAv3 there will be command set extensions but we are doing our 
best to maintain backward compatibility for older clients so that they 
would be able to use the functionality they are aware of against newer 
servers, after CSRF fix.

I hope that our effort preventing possible remote attacks on 
core piece of enterprise infrastructure will be helpful when you'll go 
live with your installation.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to