SUSE Support

Here When You Need Us

How to take a LDAP trace with OpenLDAP

This document (7006929) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 3
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10 Service Pack 3
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9 Service Pack 4
SUSE Linux Enterprise Server 9

Situation

When troubleshooting issues with OpenLDAP, it's sometimes required to log the individual operations (bind, search, modify, add, delete) and associated return codes.

Resolution

OpenLDAP sends logging information to syslogd.  Therefore, all of these messages will be in the /var/log/messages file.

To turn on logging, follow these steps.
 
  1. Add the following line at the top of the /etc/openldap/slapd.conf file.

    loglevel 4
     
  2. Restart OpenLDAP

    $ rcldap restart
     
The result code for all LDAP operations has this format.

send_ldap_result: err=0 matched="" text=""

The five main operations are logged in these formats.

Bind

Dec  5 14:42:21 sles10sp3 slapd[29652]: ==> bdb_bind: dn: cn=admin,o=foo

Modify

Sep 27 12:13:18 sles10sp3 slapd[3784]: do_modify: dn (uid=math,o=foo)
Sep 27 12:13:18 sles10sp3 slapd[3784]: modifications:
Sep 27 12:13:18 sles10sp3 slapd[3784]:  replace: sn
Sep 27 12:13:18 sles10sp3 slapd[3784]:          one value, length 5

Add

Sep 27 12:14:20 sles10sp3 slapd[3784]: do_add: dn (uid=math,o=foo)

Delete

Sep 27 12:35:01 sles10sp3 slapd[4628]: ==> bdb_delete: uid=math,o=foo

Search

Dec  5 14:38:55 sles10sp3 slapd[29566]: SRCH "o=foo" 2 3
Dec  5 14:38:55 sles10sp3 slapd[29566]:     0 0 0
Dec  5 14:38:55 sles10sp3 slapd[29566]:     filter: (cn=admin)
Dec  5 14:38:55 sles10sp3 slapd[29566]:     attrs:
Dec  5 14:38:55 sles10sp3 slapd[29566]:  sn
Dec  5 14:38:55 sles10sp3 slapd[29566]:  cn

The first line consists of four arguments.

Field 2 - Search base

Field 3 - Scope

0 - base
1 - one
2 - subtree

Field 4 - Alias dereferencing

The second line consists of three arguments.

Field 1 - Size limit

Field 2 - Time limit

Field 3 - Attributes only

The log levels can be set with a number, hex value, or log name
example with log name:
'loglevel conns sync acl'
or with number
'loglevel 19392'
 
To use numbers the values are added together for example loglevel 5 is "trace function calls" and "heavy trace debugging" or loglevel 7 is "trace function calls", "packet-handling debug info", and "heavy trace debugging".
 
The possible values for number, hex value and log name are:
 
NumberHexLog nameLogging description
-10xFFFFanyenable all logging
00x0000-logging inhibited - no logging occurs including critical errors. Not recommended.
10x1tracetrace function calls
20x2packetsdebug packet handling
40x4argsheavy trace debugging
80x8connsconnection management
160x10BERprint out packets sent and received
320x20filtersearch filter processing
640x40configconfiguration file processing
1280x80ACLaccess control list processing
2560x100statsstats log connections/operations/results (default)
5120x200stats2stats log entries sent
10240x400shellprint communication with shell backends
20480x800parseentry parsing debugging
40960x1000cachecaching (unused)
81920x2000indexindexing (unused)
163840x4000syncprint syncrepl (replica) logging
327680x8000noneA misnomer - it will log messages that are not categorized - specifically including critical messages

Additional Information

The most common log level settings are  loglevel 4 and loglevel 5
 
logfile /path/to/ldap/log/file
 
To log the LDAP traffic to another file add this to syslog.conf:
logfile  /var/log/openldap.log
 
The log file must exist for Openldap to log to this file so create an empty file
touch /var/log/ldap.log

 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7006929
  • Creation Date: 27-Sep-2010
  • Modified Date:16-Mar-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.