security

System Accounts

Manage system accounts used by IPA services for internal operations. System accounts provide credentials for IPA service components and should not be used for regular user authentication. Features include system account creation, password management, and service-specific account configuration for maintaining secure internal service authentication.

8 commands
security

System accounts designed to allow applications to query LDAP database. Unlike IPA users, system accounts have no POSIX properties and cannot be resolved as ‘users’ in a POSIX environment.

System accounts are stored in cn=sysaccounts,cn=etc LDAP subtree. Some of system accounts are special to IPA’s own operations and cannot be removed.

EXAMPLES

Add a new system account, set random password:

ipa sysaccount-add my-app --random

Allow the system account to change user passwords without triggering a reset:

ipa sysaccount-mod my-app --privileged=True

The system account still needs to be permitted to modify user passwords through a role that includes a corresponding permission (‘System: Change User password’), through the privilege system:

ipa privilege-add 'my-app password change privilege'
ipa privilege-add-permission 'my-app password change privilege'                       --permission 'System: Change User password'
ipa role-add 'my-app role'
ipa role-add-privilege 'my-app role'                            --privilege 'my-app password change privilege'
ipa role-add-member 'my-app role' --sysaccounts my-app

Delete a system account:

.. code-block:: console

ipa sysaccount-del my-app

Find all system accounts:

.. code-block:: console

ipa sysaccount-find

Disable the system account:

.. code-block:: console

ipa sysaccount-disable my-app

Re-enable the system account:

.. code-block:: console

ipa sysaccount-enable my-app

Allow the system account to change user passwords without a reset:

.. code-block:: console

ipa sysaccount-policy my-app --privileged=true

Overview

System accounts provide service-to-service authentication for applications that need to query or modify the IPA LDAP directory without using human user credentials. Unlike regular IPA users, system accounts have no POSIX attributes (uidNumber, gidNumber, homeDirectory), cannot log into systems interactively, and are designed exclusively for programmatic LDAP access by applications and services.

System accounts are stored in the cn=sysaccounts,cn=etc LDAP subtree, separate from regular user accounts. This isolation ensures system accounts don’t interfere with user authentication systems and prevents them from being resolved by POSIX user lookups (getent passwd, NSS). System accounts only function within the LDAP directory context.

Use Cases for System Accounts

Application LDAP queries: Web applications, monitoring tools, or custom scripts that need read-only access to IPA directory data without using privileged admin credentials.

Automated password management: HR integration systems or password synchronization tools that need to update user passwords without triggering password reset flags or requiring interactive authentication.

Service account management: Middleware or provisioning systems that create, modify, or disable user accounts based on external data sources (HR databases, identity systems).

LDAP-based authentication backends: Applications using LDAP bind authentication (e.g., web portals, VPNs) that need a service account to search the directory for users before performing bind operations.

System Accounts vs Service Principals

System accounts: LDAP directory credentials for applications querying/modifying directory data. Authenticate via LDAP bind with password.

Service principals: Kerberos credentials for services (HTTP, LDAP, DNS) running on hosts. Authenticate via Kerberos keytabs.

Use system accounts when applications need LDAP directory access. Use service principals when services need Kerberos authentication for network protocols.

Privileged vs Non-Privileged Accounts

Non-privileged system accounts (default): Can query directory with granted permissions but cannot change user passwords without triggering password reset flags. When non-privileged accounts set passwords, users must change them on next login.

Privileged system accounts (--privileged=True): Can set user passwords without triggering resets, enabling password synchronization scenarios where external systems set passwords that users should use directly without forced changes.

Privileged status requires additional RBAC permissions to actually modify passwords—the privileged flag only controls whether password changes trigger reset flags.

Important: The privileged configuration is local to each IPA server and is not replicated. The configuration is stored in cn=ipa_pwd_extop,cn=plugins,cn=config which is server-specific. If your environment has multiple IPA servers, you must run ipa sysaccount-policy <account> --privileged=True on each server where you want the privileged behavior to apply. After enabling privileged mode on a server, you must restart the Directory Server service (systemctl restart dirsrv@REALM-NAME) for the change to take effect. Use ipa sysaccount-del on all servers before deleting a privileged system account to ensure proper cleanup.

Use Cases

Web Application Directory Integration

Web applications need read-only LDAP access to query user information for profiles, search features, or authentication without using admin credentials.

# Create system account for web application
ipa sysaccount-add webapp-ldap \
  --desc="Web application LDAP query account" \
  --random

# Save the random password shown in output
# Password: xK9mP2nQ7vR4wL8j

# Grant read-only access via RBAC
ipa privilege-add "Webapp Read Users" \
  --desc="Read-only user attribute access for webapp"
ipa privilege-add-permission "Webapp Read Users" \
  --permissions="System: Read User Standard Attributes"

ipa role-add "Webapp User Reader" \
  --desc="Web application user lookup role"
ipa role-add-privilege "Webapp User Reader" \
  --privileges="Webapp Read Users"
ipa role-add-member "Webapp User Reader" --sysaccounts=webapp-ldap

# Application can now query users via LDAP bind
# LDAP bind DN: uid=webapp-ldap,cn=sysaccounts,cn=etc,dc=example,dc=com
# Password: xK9mP2nQ7vR4wL8j

HR System Password Synchronization

HR system sets user passwords when creating accounts; users should use these passwords directly without forced password changes.

# Create privileged system account for HR integration
ipa sysaccount-add hr-integration \
  --desc="HR system for employee provisioning" \
  --privileged=True \
  --random

# Grant user management permissions
ipa privilege-add "HR User Management" \
  --desc="HR system user lifecycle management"
ipa privilege-add-permission "HR User Management" \
  --permissions="System: Add Users" \
  --permissions="System: Modify Users" \
  --permissions="System: Change User password"

ipa role-add "HR Provisioner" \
  --desc="HR integration provisioning role"
ipa role-add-privilege "HR Provisioner" --privileges="HR User Management"
ipa role-add-member "HR Provisioner" --sysaccounts=hr-integration

# HR system can set passwords without triggering reset flag
# Users can log in with HR-assigned passwords immediately

Monitoring System LDAP Health Checks

Monitoring tools need to query IPA LDAP to verify directory health without using admin accounts.

# Create monitoring system account
ipa sysaccount-add monitoring-ldap \
  --desc="Monitoring system LDAP health checks" \
  --random

# Grant minimal read access for health checks
ipa privilege-add "Monitoring Read Access" \
  --desc="Read-only access for monitoring"
ipa privilege-add-permission "Monitoring Read Access" \
  --permissions="System: Read User Standard Attributes" \
  --permissions="System: Read Groups"

ipa role-add "Monitoring Reader" --desc="Monitoring system read role"
ipa role-add-privilege "Monitoring Reader" \
  --privileges="Monitoring Read Access"
ipa role-add-member "Monitoring Reader" --sysaccounts=monitoring-ldap

Disabling Compromised System Account

When a system account’s credentials are exposed, immediately disable it to prevent unauthorized access.

# System account credentials leaked in logs
ipa sysaccount-show hr-integration
  System Account ID: hr-integration
  Account disabled: FALSE

# Immediately disable account
ipa sysaccount-disable hr-integration

# Verify disabled
ipa sysaccount-show hr-integration
  Account disabled: TRUE

# After rotating credentials, generate new password and re-enable
ipa sysaccount-mod hr-integration --random
ipa sysaccount-enable hr-integration

Password Reset Tool with Privileged Account

IT helpdesk uses password reset portal; system account must set passwords without forcing user password changes.

# Create privileged account for password reset portal
ipa sysaccount-add password-portal \
  --desc="Self-service password reset web portal" \
  --privileged=True \
  --random

# Grant password change permission
ipa privilege-add "Portal Password Reset" \
  --desc="Password reset portal privilege"
ipa privilege-add-permission "Portal Password Reset" \
  --permissions="System: Change User password"

ipa role-add "Password Reset Portal" \
  --desc="Password reset portal role"
ipa role-add-privilege "Password Reset Portal" \
  --privileges="Portal Password Reset"
ipa role-add-member "Password Reset Portal" --sysaccounts=password-portal

Auditing System Account Usage

Review all system accounts to verify they’re still needed and properly configured.

# List all system accounts
ipa sysaccount-find

# Review disabled accounts for deletion
ipa sysaccount-show old-app --all
ipa sysaccount-del old-app

# Check role memberships for active accounts
ipa sysaccount-show hr-integration --all | grep "Member of"

Rotating System Account Passwords

Periodically rotate system account passwords for security compliance.

# Rotate password for application system account
ipa sysaccount-mod webapp-ldap --random
  Random password: jF3kL9mN2vX7qT5w

# Document password rotation in description
ipa sysaccount-mod webapp-ldap \
  --desc="Web application LDAP query account - password rotated 2024-03-15"

# Update application configuration with new password

System Account for LDAP-Based VPN Authentication

VPN server needs to query LDAP for user authentication and group membership checks.

# Create system account for VPN server
ipa sysaccount-add vpn-server \
  --desc="VPN server LDAP authentication queries" \
  --random

# Grant user and group read access
ipa privilege-add "VPN User Lookup" \
  --desc="VPN server user and group lookup"
ipa privilege-add-permission "VPN User Lookup" \
  --permissions="System: Read User Standard Attributes" \
  --permissions="System: Read Groups"

ipa role-add "VPN Authentication" --desc="VPN server authentication role"
ipa role-add-privilege "VPN Authentication" --privileges="VPN User Lookup"
ipa role-add-member "VPN Authentication" --sysaccounts=vpn-server

Creating System Account with Specific Password

For integration with external systems that require pre-configured passwords.

# Create system account with specific password
ipa sysaccount-add legacy-app \
  --desc="Legacy application with fixed credentials" \
  --password

# Prompted to enter password twice
# Grant necessary permissions via RBAC
ipa role-add "Legacy App Access"
ipa role-add-member "Legacy App Access" --sysaccounts=legacy-app

Cleaning Up Deprecated System Accounts

Remove system accounts for decommissioned applications.

# Find all system accounts
ipa sysaccount-find --all

# Remove from roles first
ipa role-remove-member "CRM Reader" --sysaccounts=old-crm-app

# Delete system account
ipa sysaccount-del old-crm-app

Security Considerations

System account passwords are sensitive credentials: System account passwords grant programmatic access to IPA directory. If leaked in application logs, configuration files, or source code repositories, attackers can query or modify directory data. Treat system account credentials as secrets requiring encryption and access control.

Privileged accounts bypass password policy enforcement: Privileged system accounts (--privileged=True) can set user passwords without triggering password expiration or reset flags. Compromised privileged accounts enable attackers to set user passwords and gain access without users knowing their passwords were changed.

RBAC permissions required for actual access: Creating a system account only provides LDAP bind credentials—it grants no directory permissions. System accounts require role membership granting specific privileges/permissions. Verify role assignments match intended access level.

No audit trail for system account operations: LDAP operations by system accounts are logged, but distinguishing legitimate application operations from attacker activity is difficult if credentials are stolen. System account operations often lack contextual information about which human requested the change via the application.

System accounts lack multi-factor authentication: System accounts authenticate with password-only LDAP bind, no 2FA or certificate authentication. Stolen passwords enable full account access without additional authentication challenges.

Disabled accounts may remain in role memberships: Disabling a system account prevents LDAP authentication but doesn’t remove the account from role memberships. If re-enabled, all previous permissions are immediately restored. Review and remove role memberships when disabling accounts long-term.

Password rotation requires application updates: Unlike user passwords (changed by users), system account password rotation requires updating application configurations. Without automation, password rotation may be neglected, leaving old passwords in use for years.

No password expiration for system accounts: System account passwords don’t expire automatically like user passwords. Without manual rotation policies, system accounts may have the same password indefinitely, increasing exposure if credentials are compromised.

System accounts in source control: Application configuration files containing system account passwords are often committed to source control (Git, SVN), creating password exposure in repository history. Use secret management systems (Vault, HashiCorp Vault) instead of hardcoded passwords.

Broad RBAC grants enable lateral movement: If system accounts are granted overly broad privileges (e.g., full user administrator access), compromised accounts enable attackers to create backdoor accounts, elevate privileges, or exfiltrate sensitive directory data.

Non-privileged accounts can still set passwords: Non-privileged system accounts with password change permissions can set user passwords, but users must change them on next login. Attackers can still cause disruption by forcing password resets for all users.

Troubleshooting

Cannot Authenticate with System Account

Symptom: Application LDAP bind fails with system account credentials.

Diagnosis: Password incorrect, account disabled, or wrong bind DN.

Resolution: Verify credentials and account status:

# Check if account is disabled
ipa sysaccount-show webapp-ldap
  Account disabled: TRUE

# Enable account
ipa sysaccount-enable webapp-ldap

# Verify correct bind DN format
# Correct: uid=webapp-ldap,cn=sysaccounts,cn=etc,dc=example,dc=com
# Wrong: uid=webapp-ldap,cn=users,cn=accounts,dc=example,dc=com

# Test LDAP bind manually
ldapwhoami -D "uid=webapp-ldap,cn=sysaccounts,cn=etc,dc=example,dc=com" \
  -w password -H ldap://ipa.example.com

System Account Can Bind But Cannot Query Data

Symptom: LDAP bind succeeds but searches return “insufficient access” errors.

Diagnosis: System account lacks RBAC permissions to read requested data.

Resolution: Grant necessary permissions via roles:

# Check system account's role memberships
ipa sysaccount-show webapp-ldap --all | grep "Member of"

# Grant read access
ipa role-add "Webapp Reader"
ipa privilege-add "Webapp Read Privilege"
ipa privilege-add-permission "Webapp Read Privilege" \
  --permissions="System: Read User Standard Attributes"
ipa role-add-privilege "Webapp Reader" --privileges="Webapp Read Privilege"
ipa role-add-member "Webapp Reader" --sysaccounts=webapp-ldap

Cannot Change User Passwords with System Account

Symptom: System account can bind and query but password changes fail.

Diagnosis: Missing password change permissions in RBAC roles.

Resolution: Grant password change permission:

# Add password change permission
ipa privilege-add "Password Change Privilege"
ipa privilege-add-permission "Password Change Privilege" \
  --permissions="System: Change User password"
ipa role-add-privilege "Portal Role" \
  --privileges="Password Change Privilege"

Privileged Flag Not Preventing Password Resets

Symptom: System account is privileged but users still prompted for password change.

Diagnosis: Privileged flag not set correctly.

Resolution: Verify privileged status:

# Set privileged flag
ipa sysaccount-policy hr-integration --privileged=True

# Or use sysaccount-mod
ipa sysaccount-mod hr-integration --privileged=True

# Verify
ipa sysaccount-show hr-integration --all

Cannot Delete System Account

Symptom: ipa sysaccount-del fails with error about special accounts.

Diagnosis: Some system accounts are IPA-internal and protected.

Resolution: Verify account isn’t a protected system account:

# Protected accounts are IPA-internal (cannot delete)
# Custom accounts created with sysaccount-add can be deleted
ipa sysaccount-del my-custom-app

System Account Password Rotation Broke Application

Symptom: After password rotation, application cannot connect to LDAP.

Diagnosis: Application not updated with new password.

Resolution: Update application configuration:

# Generate new password
ipa sysaccount-mod webapp-ldap --random
  Random password: nX7kL2mP9vQ4wT6j

# Update application configuration file
# Restart application
systemctl restart webapp

System Account Shows in User Searches

Symptom: System accounts appear in user search results.

Diagnosis: Searching wrong LDAP subtree.

Resolution: Search only regular users:

# Correct: search only regular user accounts
ldapsearch -b "cn=users,cn=accounts,dc=example,dc=com" uid=*

# System accounts are in cn=sysaccounts,cn=etc
# Regular users are in cn=users,cn=accounts

Cannot Add System Account to Role

Symptom: ipa role-add-member fails when adding system account.

Diagnosis: Syntax error.

Resolution: Use correct syntax:

# Wrong: trying to add as user
ipa role-add-member "My Role" --users=webapp-ldap
  ipa: ERROR: user not found

# Correct: add as system account
ipa role-add-member "My Role" --sysaccounts=webapp-ldap

System Account Locks After Failed Attempts

Symptom: System account stops working after multiple failed authentication attempts.

Diagnosis: Failed authentication attempts may trigger account lockout.

Resolution: Fix application configuration with correct password:

# Fix root cause: wrong password in application
# Update application configuration

# Restart application
systemctl restart webapp

System Account Permissions Too Broad

Symptom: Security audit finds system account has excessive privileges.

Diagnosis: Role assignments grant more access than needed.

Resolution: Review and restrict role memberships:

# Remove excessive roles
ipa role-remove-member "User Administrator" --sysaccounts=webapp-ldap

# Add minimal role with only required permissions
ipa role-add "Webapp Minimal Read"
ipa privilege-add "Webapp Read Only"
ipa privilege-add-permission "Webapp Read Only" \
  --permissions="System: Read User Standard Attributes"
ipa role-add-privilege "Webapp Minimal Read" --privileges="Webapp Read Only"
ipa role-add-member "Webapp Minimal Read" --sysaccounts=webapp-ldap

Cannot Find System Account in sysaccount-find

Symptom: Created system account but sysaccount-find doesn’t show it.

Diagnosis: Account name search or disabled filter excluding it.

Resolution: Search by exact name or list all:

# Show specific account by exact name
ipa sysaccount-show my-app

# List all system accounts
ipa sysaccount-find --all

Commands

sysaccount-add

Usage: ipa [global-options] sysaccount-add LOGIN [options]

Add a new IPA system account.

Arguments

ArgumentRequiredDescription
LOGINyesSystem account ID

Options

OptionDescription
--desc DESCA description of system account
--password PASSWORDPrompt to set the user password
--randomGenerate a random user password
--disabled DISABLEDAccount disabled
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--privileged PRIVILEGEDAllow password updates without reset
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

sysaccount-del

Usage: ipa [global-options] sysaccount-del LOGIN [options]

Delete an IPA system account.

Arguments

ArgumentRequiredDescription
LOGINyesSystem account ID

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

sysaccount-disable

Usage: ipa [global-options] sysaccount-disable LOGIN [options]

Disable a system account.

Arguments

ArgumentRequiredDescription
LOGINyesSystem account ID

sysaccount-enable

Usage: ipa [global-options] sysaccount-enable LOGIN [options]

Enable a system account.

Arguments

ArgumentRequiredDescription
LOGINyesSystem account ID

sysaccount-find

Usage: ipa [global-options] sysaccount-find [CRITERIA] [options]

Search for IPA system accounts.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--login LOGINSystem account ID
--desc DESCA description of system account
--disabled DISABLEDAccount disabled
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“login”)

sysaccount-mod

Usage: ipa [global-options] sysaccount-mod LOGIN [options]

Modify an existing IPA system account.

Arguments

ArgumentRequiredDescription
LOGINyesSystem account ID

Options

OptionDescription
--desc DESCA description of system account
--password PASSWORDPrompt to set the user password
--randomGenerate a random user password
--disabled DISABLEDAccount disabled
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--privileged PRIVILEGEDAllow password updates without reset
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

sysaccount-policy

Usage: ipa [global-options] sysaccount-policy LOGIN [options]

Manage the system account policy.

Important: Privileged configuration is not replicated between IPA servers. The configuration is stored in cn=ipa_pwd_extop,cn=plugins,cn=config which is local to each server. In multi-server environments, run this command on each IPA server where the system account needs privileged access. After making changes, restart the Directory Server: systemctl restart dirsrv@REALM-NAME.

Arguments

ArgumentRequiredDescription
LOGINyesSystem account ID

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--privileged PRIVILEGEDAllow password updates without reset
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

sysaccount-show

Usage: ipa [global-options] sysaccount-show LOGIN [options]

Display information about an IPA system account.

Arguments

ArgumentRequiredDescription
LOGINyesSystem account ID

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

Related Topics