On Чцв, 02 ліп 2026, Adam Williamson wrote:
On Wed, 2026-07-01 at 06:13 -0400, Neal Gompa wrote:
I mean, this one is mostly the fault of FreeIPA. It isn't designed for
community projects, and shoehorning it into Fedora has resulted in
this flaw. It won't be fixed because no corporate customer of IdM
needs it, since the model works for business deployments.
It isn't going to get fixed because IdM doesn't consider Fedora an
important customer/stakeholder/etc for feature development.
I don't think this is accurate at all. AFAIK FreeIPA has all the 2FA
support we could ever use - it supports far more sophisticated setups
than we've ever even tried. Alexander gives talks about this stuff
constantly. AFAIK the issues are rather with Ipsilon being ancient and
unmaintained, and integration into trickier workflows like fedpkg
(since most 2FA things tend to assume you're in a web browser), none of
which FreeIPA can do anything about.
I have been working on solving those problems as well. It is a bit
frustrating to see no reaction from Fedora Infrastructure folks, though.
For Ipsilon migration we were originally thinking about moving to
Keycloak but that doesn't solve a problem as Keycloak would need to gain
knowledge about IPA-specific features too. We have done some work on
that (ipa-tuura project) and even merged most of what we have in
Keycloak 26, but it still lacks few critical bits. And we don't have it
packaged in Fedora or cannot ship in RHEL directly.
Then for IPA to IPA trust we need an integrated OAuth2 endpoint in
IPA. This was my focus for past several months and now we have Ahdapa,
https://ahdapa.dev/, which provides all required integration and can be
used by Fedora Infrastructure too. I showed it to nirik at the Flock
this year.
So things are coming but your are right that most of the parts are
outside of FreeIPA.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new