How to take a LDAP trace with OpenLDAP
This document (7006929) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 Service Pack 3
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10 Service Pack 3
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9 Service Pack 4
SUSE Linux Enterprise Server 9
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10 Service Pack 3
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9 Service Pack 4
SUSE Linux Enterprise Server 9
Situation
When troubleshooting issues with OpenLDAP, it's sometimes required to log the individual operations (bind, search, modify, add, delete) and associated return codes.
Resolution
OpenLDAP sends logging information to syslogd. Therefore, all of these messages will be in the /var/log/messages file.
To turn on logging, follow these steps.
send_ldap_result: err=0 matched="" text=""
The five main operations are logged in these formats.
Bind
Dec 5 14:42:21 sles10sp3 slapd[29652]: ==> bdb_bind: dn: cn=admin,o=foo
Modify
Sep 27 12:13:18 sles10sp3 slapd[3784]: do_modify: dn (uid=math,o=foo)
Sep 27 12:13:18 sles10sp3 slapd[3784]: modifications:
Sep 27 12:13:18 sles10sp3 slapd[3784]: replace: sn
Sep 27 12:13:18 sles10sp3 slapd[3784]: one value, length 5
Add
Sep 27 12:14:20 sles10sp3 slapd[3784]: do_add: dn (uid=math,o=foo)
Delete
Sep 27 12:35:01 sles10sp3 slapd[4628]: ==> bdb_delete: uid=math,o=foo
Search
Dec 5 14:38:55 sles10sp3 slapd[29566]: SRCH "o=foo" 2 3
Dec 5 14:38:55 sles10sp3 slapd[29566]: 0 0 0
Dec 5 14:38:55 sles10sp3 slapd[29566]: filter: (cn=admin)
Dec 5 14:38:55 sles10sp3 slapd[29566]: attrs:
Dec 5 14:38:55 sles10sp3 slapd[29566]: sn
Dec 5 14:38:55 sles10sp3 slapd[29566]: cn
The first line consists of four arguments.
Field 2 - Search base
Field 3 - Scope
0 - base
1 - one
2 - subtree
Field 4 - Alias dereferencing
The second line consists of three arguments.
Field 1 - Size limit
Field 2 - Time limit
Field 3 - Attributes only
The log levels can be set with a number, hex value, or log name
To turn on logging, follow these steps.
- Add the following line at the top of the /etc/openldap/slapd.conf file.
loglevel 4
- Restart OpenLDAP
$ rcldap restart
send_ldap_result: err=0 matched="" text=""
The five main operations are logged in these formats.
Bind
Dec 5 14:42:21 sles10sp3 slapd[29652]: ==> bdb_bind: dn: cn=admin,o=foo
Modify
Sep 27 12:13:18 sles10sp3 slapd[3784]: do_modify: dn (uid=math,o=foo)
Sep 27 12:13:18 sles10sp3 slapd[3784]: modifications:
Sep 27 12:13:18 sles10sp3 slapd[3784]: replace: sn
Sep 27 12:13:18 sles10sp3 slapd[3784]: one value, length 5
Add
Sep 27 12:14:20 sles10sp3 slapd[3784]: do_add: dn (uid=math,o=foo)
Delete
Sep 27 12:35:01 sles10sp3 slapd[4628]: ==> bdb_delete: uid=math,o=foo
Search
Dec 5 14:38:55 sles10sp3 slapd[29566]: SRCH "o=foo" 2 3
Dec 5 14:38:55 sles10sp3 slapd[29566]: 0 0 0
Dec 5 14:38:55 sles10sp3 slapd[29566]: filter: (cn=admin)
Dec 5 14:38:55 sles10sp3 slapd[29566]: attrs:
Dec 5 14:38:55 sles10sp3 slapd[29566]: sn
Dec 5 14:38:55 sles10sp3 slapd[29566]: cn
The first line consists of four arguments.
Field 2 - Search base
Field 3 - Scope
0 - base
1 - one
2 - subtree
Field 4 - Alias dereferencing
The second line consists of three arguments.
Field 1 - Size limit
Field 2 - Time limit
Field 3 - Attributes only
The log levels can be set with a number, hex value, or log name
example with log name:
'loglevel conns sync acl'
or with number
'loglevel 19392'
To use numbers the values are added together for example loglevel 5 is "trace function calls" and "heavy trace debugging" or loglevel 7 is "trace function calls", "packet-handling debug info", and "heavy trace debugging".
The possible values for number, hex value and log name are:
| Number | Hex | Log name | Logging description |
| -1 | 0xFFFF | any | enable all logging |
| 0 | 0x0000 | - | logging inhibited - no logging occurs including critical errors. Not recommended. |
| 1 | 0x1 | trace | trace function calls |
| 2 | 0x2 | packets | debug packet handling |
| 4 | 0x4 | args | heavy trace debugging |
| 8 | 0x8 | conns | connection management |
| 16 | 0x10 | BER | print out packets sent and received |
| 32 | 0x20 | filter | search filter processing |
| 64 | 0x40 | config | configuration file processing |
| 128 | 0x80 | ACL | access control list processing |
| 256 | 0x100 | stats | stats log connections/operations/results (default) |
| 512 | 0x200 | stats2 | stats log entries sent |
| 1024 | 0x400 | shell | print communication with shell backends |
| 2048 | 0x800 | parse | entry parsing debugging |
| 4096 | 0x1000 | cache | caching (unused) |
| 8192 | 0x2000 | index | indexing (unused) |
| 16384 | 0x4000 | sync | print syncrepl (replica) logging |
| 32768 | 0x8000 | none | A misnomer - it will log messages that are not categorized - specifically including critical messages |
Additional Information
The most common log level settings are loglevel 4 and loglevel 5
logfile /path/to/ldap/log/file
To log the LDAP traffic to another file add this to syslog.conf:
logfile /var/log/openldap.log
The log file must exist for Openldap to log to this file so create an empty file
touch /var/log/ldap.log
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7006929
- Creation Date: 27-Sep-2010
- Modified Date:16-Mar-2021
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
