Bug 1325715

Summary: RFE: Document Dirsrv integration with systemd-ask-pass
Product: Red Hat Directory Server Reporter: wibrown <wibrown>
Component: Doc-administration-guideAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0CC: mmuehlfe, nhosoi, nkinder, rhel-docs, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-14 13:29:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wibrown@redhat.com 2016-04-10 23:00:17 UTC 
Document URL: 

Administration guide

Section Number and Name: 

Describe the issue: 

As of 1.3.5.X, Directory Server can now correctly prompt for a password for the NSS/TLS database using the systemd-ask-password utility.

The behaviour of this may change based on circumstance.

If a pin.txt exists, this will be read first.

If ns-slapd detects it is attached to a terminal (tty, pty), it will prompt on the cli as before.

If none of these are true, Directory Server will fall back to using systemd-ask-pass. This may manifest in two ways.

If the process that starts ns-slapd is detacted from the tty, and is not "systemctl", a wall message is displayed, such as:

# start-dirsrv
Broadcast message from root@hostname (Wed 2016-03-30 11:10:58 AEST):

Password entry required for 'Enter PIN for Internal (Software) Token:' (PID 1583).
Please enter password with the systemd-tty-ask-password-agent tool!

# systemd-tty-ask-password-agent
Enter PIN for Internal (Software) Token: ********

If the ns-slapd is started from systemctl, systemd will prompt for the password and pass it to the process:

# systemctl start dirsrv@localhost
Enter PIN for Internal (Software) Token: ********
# 

Please note, that there is a race condition with systemctl, where sometimes it may or may not prompt in this way: in either case, it will fall back to the wall message and the systemd-tty-ask-password-agent tool will work. 

Suggestions for improvement: 

Additional information:
Comment 1 Marc Muehlfeld 2016-11-09 12:29:15 UTC 
I added a new section to the DS Admin Guide (10.1 and master branch):
  7.4.5. Starting Directory Server Without Password File
Comment 3 Marc Muehlfeld 2016-11-14 13:29:11 UTC 
The update for Directory Server 10.1 is now available on the Customer Portal.