Document URL: Administration guide Section Number and Name: Describe the issue: As of 1.3.5.X, Directory Server can now correctly prompt for a password for the NSS/TLS database using the systemd-ask-password utility. The behaviour of this may change based on circumstance. If a pin.txt exists, this will be read first. If ns-slapd detects it is attached to a terminal (tty, pty), it will prompt on the cli as before. If none of these are true, Directory Server will fall back to using systemd-ask-pass. This may manifest in two ways. If the process that starts ns-slapd is detacted from the tty, and is not "systemctl", a wall message is displayed, such as: # start-dirsrv Broadcast message from root@hostname (Wed 2016-03-30 11:10:58 AEST): Password entry required for 'Enter PIN for Internal (Software) Token:' (PID 1583). Please enter password with the systemd-tty-ask-password-agent tool! # systemd-tty-ask-password-agent Enter PIN for Internal (Software) Token: ******** If the ns-slapd is started from systemctl, systemd will prompt for the password and pass it to the process: # systemctl start dirsrv@localhost Enter PIN for Internal (Software) Token: ******** # Please note, that there is a race condition with systemctl, where sometimes it may or may not prompt in this way: in either case, it will fall back to the wall message and the systemd-tty-ask-password-agent tool will work. Suggestions for improvement: Additional information:
I added a new section to the DS Admin Guide (10.1 and master branch): 7.4.5. Starting Directory Server Without Password File
The update for Directory Server 10.1 is now available on the Customer Portal.