System Accounts
Manage system accounts used by IPA services for internal operations. System accounts provide credentials for IPA service components and should not be used for regular user authentication. Features include system account creation, password management, and service-specific account configuration for maintaining secure internal service authentication.
System accounts designed to allow applications to query LDAP database. Unlike IPA users, system accounts have no POSIX properties and cannot be resolved as ‘users’ in a POSIX environment.
System accounts are stored in cn=sysaccounts,cn=etc LDAP subtree. Some of system accounts are special to IPA’s own operations and cannot be removed.
EXAMPLES
Add a new system account, set random password:
ipa sysaccount-add my-app --randomAllow the system account to change user passwords without triggering a reset:
ipa sysaccount-mod my-app --privileged=True
The system account still needs to be permitted to modify user passwords through a role that includes a corresponding permission (‘System: Change User password’), through the privilege system:
ipa privilege-add 'my-app password change privilege'
ipa privilege-add-permission 'my-app password change privilege' --permission 'System: Change User password'
ipa role-add 'my-app role'
ipa role-add-privilege 'my-app role' --privilege 'my-app password change privilege'
ipa role-add-member 'my-app role' --sysaccounts my-app
Delete a system account:
.. code-block:: console
ipa sysaccount-del my-app
Find all system accounts:
.. code-block:: console
ipa sysaccount-find
Disable the system account:
.. code-block:: console
ipa sysaccount-disable my-app
Re-enable the system account:
.. code-block:: console
ipa sysaccount-enable my-app
Allow the system account to change user passwords without a reset:
.. code-block:: console
ipa sysaccount-policy my-app --privileged=trueCommands
Command Description
sysaccount-add Add a new IPA system account.
sysaccount-del Delete an IPA system account.
sysaccount-disable Disable a system account.
sysaccount-enable Enable a system account.
sysaccount-find Search for IPA system accounts.
sysaccount-mod Modify an existing IPA system account.
sysaccount-policy Manage the system account policy.
sysaccount-show Display information about an IPA system account.
sysaccount-add
Usage: ipa [global-options] sysaccount-add LOGIN [options]
Add a new IPA system account.
Arguments
Argument Required Description
LOGIN yes System account ID
Options
Option Description
--desc DESC A description of system account
--password PASSWORD Prompt to set the user password
--random Generate a random user password
--disabled DISABLED Account disabled
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--privileged PRIVILEGED Allow password updates without reset
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
sysaccount-del
Usage: ipa [global-options] sysaccount-del LOGIN [options]
Delete an IPA system account.
Arguments
Argument Required Description
LOGIN yes System account ID
Options
Option Description
--continue Continuous mode: Don’t stop on errors.
sysaccount-disable
Usage: ipa [global-options] sysaccount-disable LOGIN [options]
Disable a system account.
Arguments
Argument Required Description
LOGIN yes System account ID
sysaccount-enable
Usage: ipa [global-options] sysaccount-enable LOGIN [options]
Enable a system account.
Arguments
Argument Required Description
LOGIN yes System account ID
sysaccount-find
Usage: ipa [global-options] sysaccount-find [CRITERIA] [options]
Search for IPA system accounts.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--login LOGIN System account ID
--desc DESC A description of system account
--disabled DISABLED Account disabled
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“login”)
sysaccount-mod
Usage: ipa [global-options] sysaccount-mod LOGIN [options]
Modify an existing IPA system account.
Arguments
Argument Required Description
LOGIN yes System account ID
Options
Option Description
--desc DESC A description of system account
--password PASSWORD Prompt to set the user password
--random Generate a random user password
--disabled DISABLED Account disabled
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--privileged PRIVILEGED Allow password updates without reset
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
sysaccount-policy
Usage: ipa [global-options] sysaccount-policy LOGIN [options]
Manage the system account policy.
Arguments
Argument Required Description
LOGIN yes System account ID
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--privileged PRIVILEGED Allow password updates without reset
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
sysaccount-show
Usage: ipa [global-options] sysaccount-show LOGIN [options]
Display information about an IPA system account.
Arguments
Argument Required Description
LOGIN yes System account ID
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.