Bug 1325715 - RFE: Document Dirsrv integration with systemd-ask-pass
Summary: RFE: Document Dirsrv integration with systemd-ask-pass
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Doc-administration-guide
Version: 10.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Marc Muehlfeld
QA Contact: Viktor Ashirov
Depends On:
TreeView+ depends on / blocked
Reported: 2016-04-10 23:00 UTC by wibrown@redhat.com
Modified: 2016-11-14 13:29 UTC (History)
5 users (show)

Clone Of:
Last Closed: 2016-11-14 13:29:11 UTC

Attachments (Terms of Use)

Description wibrown@redhat.com 2016-04-10 23:00:17 UTC
Document URL: 

Administration guide

Section Number and Name: 

Describe the issue: 

As of 1.3.5.X, Directory Server can now correctly prompt for a password for the NSS/TLS database using the systemd-ask-password utility.

The behaviour of this may change based on circumstance.

If a pin.txt exists, this will be read first.

If ns-slapd detects it is attached to a terminal (tty, pty), it will prompt on the cli as before.

If none of these are true, Directory Server will fall back to using systemd-ask-pass. This may manifest in two ways.

If the process that starts ns-slapd is detacted from the tty, and is not "systemctl", a wall message is displayed, such as:

# start-dirsrv
Broadcast message from root@hostname (Wed 2016-03-30 11:10:58 AEST):

Password entry required for 'Enter PIN for Internal (Software) Token:' (PID 1583).
Please enter password with the systemd-tty-ask-password-agent tool!

# systemd-tty-ask-password-agent
Enter PIN for Internal (Software) Token: ********

If the ns-slapd is started from systemctl, systemd will prompt for the password and pass it to the process:

# systemctl start dirsrv@localhost
Enter PIN for Internal (Software) Token: ********

Please note, that there is a race condition with systemctl, where sometimes it may or may not prompt in this way: in either case, it will fall back to the wall message and the systemd-tty-ask-password-agent tool will work. 

Suggestions for improvement: 

Additional information:

Comment 1 Marc Muehlfeld 2016-11-09 12:29:15 UTC
I added a new section to the DS Admin Guide (10.1 and master branch):
  7.4.5. Starting Directory Server Without Password File

Comment 3 Marc Muehlfeld 2016-11-14 13:29:11 UTC
The update for Directory Server 10.1 is now available on the Customer Portal.

Note You need to log in before you can comment on or make changes to this bug.