On Чцв, 02 ліп 2026, Neal Gompa wrote:
On Thu, Jul 2, 2026 at 3:56 AM Alexander Bokovoy <[email protected]> wrote:

On Чцв, 02 ліп 2026, Adam Williamson wrote:
>On Wed, 2026-07-01 at 06:13 -0400, Neal Gompa wrote:
>> I mean, this one is mostly the fault of FreeIPA. It isn't designed for
>> community projects, and shoehorning it into Fedora has resulted in
>> this flaw. It won't be fixed because no corporate customer of IdM
>> needs it, since the model works for business deployments.
>>
>> It isn't going to get fixed because IdM doesn't consider Fedora an
>> important customer/stakeholder/etc for feature development.
>
>I don't think this is accurate at all. AFAIK FreeIPA has all the 2FA
>support we could ever use - it supports far more sophisticated setups
>than we've ever even tried. Alexander gives talks about this stuff
>constantly. AFAIK the issues are rather with Ipsilon being ancient and
>unmaintained, and integration into trickier workflows like fedpkg
>(since most 2FA things tend to assume you're in a web browser), none of
>which FreeIPA can do anything about.

I have been working on solving those problems as well. It is a bit
frustrating to see no reaction from Fedora Infrastructure folks, though.

For Ipsilon migration we were originally thinking about moving to
Keycloak but that doesn't solve a problem as Keycloak would need to gain
knowledge about IPA-specific features too. We have done some work on
that (ipa-tuura project) and even merged most of what we have in
Keycloak 26, but it still lacks few critical bits. And we don't have it
packaged in Fedora or cannot ship in RHEL directly.

Then for IPA to IPA trust we need an integrated OAuth2 endpoint in
IPA. This was my focus for past several months and now we have Ahdapa,
https://ahdapa.dev/, which provides all required integration and can be
used by Fedora Infrastructure too. I showed it to nirik at the Flock
this year.

So things are coming but your are right that most of the parts are
outside of FreeIPA.


Ipsilon has nothing to do with MFA reset codes, but it looks like
Ahdapa is supposed to replace what Noggin does too? The website
indicates it gives the ability for users to edit IPA properties like
noggin does.

Does this mean that we're getting another frontend change?

No. Ahdapa is a general purpose OAuth2 IdP, not specific to Fedora use
case. It can have UI parts enabled/disabled. Noggin, for example,
doesn't utilize Ipsilon for login purposes, the rest of Fedora
infrastructure does.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to