How to take a LDAP trace with OpenLDAP

  • 7006929
  • 27-Sep-2010
  • 01-Jul-2014

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 11 Service Pack 3
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 10 Service Pack 3
SUSE Linux Enterprise Server 9
SUSE Linux Enterprise Server 9 Service Pack 4

Situation

When troubleshooting issues with OpenLDAP, it's sometimes required to log the individual operations (bind, search, modify, add, delete) and associated return codes.

Resolution

OpenLDAP sends logging information to syslogd.  Therefore, all of these messages will be in the /var/log/messages file.

To turn on logging, follow these steps.

  1. Add the following line at the top of the /etc/openldap/slapd.conf file.

    loglevel 4

  2. Restart OpenLDAP

    $ rcldap restart

The result code for all LDAP operations has this format.

send_ldap_result: err=0 matched="" text=""

The five main operations are logged in these formats.

Bind

Dec  5 14:42:21 sles10sp3 slapd[29652]: ==> bdb_bind: dn: cn=admin,o=novell

Modify

Sep 27 12:13:18 sles10sp3 slapd[3784]: do_modify: dn (uid=math,o=novell)
Sep 27 12:13:18 sles10sp3 slapd[3784]: modifications:
Sep 27 12:13:18 sles10sp3 slapd[3784]:  replace: sn
Sep 27 12:13:18 sles10sp3 slapd[3784]:          one value, length 5

Add

Sep 27 12:14:20 sles10sp3 slapd[3784]: do_add: dn (uid=math,o=novell)

Delete

Sep 27 12:35:01 sles10sp3 slapd[4628]: ==> bdb_delete: uid=math,o=novell

Search

Dec  5 14:38:55 sles10sp3 slapd[29566]: SRCH "o=novell" 2 3
Dec  5 14:38:55 sles10sp3 slapd[29566]:     0 0 0
Dec  5 14:38:55 sles10sp3 slapd[29566]:     filter: (cn=admin)
Dec  5 14:38:55 sles10sp3 slapd[29566]:     attrs:
Dec  5 14:38:55 sles10sp3 slapd[29566]:  sn
Dec  5 14:38:55 sles10sp3 slapd[29566]:  cn

The first line consists of four arguments.

Field 2 - Search base

Field 3 - Scope

0 - base
1 - one
2 - subtree

Field 4 - Alias dereferencing

The second line consists of three arguments.

Field 1 - Size limit

Field 2 - Time limit

Field 3 - Attributes only

The log levels can be set with a number, hex value, or log name
example with log name:
'loglevel conns sync acl'
or with number
'loglevel 19392'

To use numbers the values are added together for example loglevel 5 is "trace function calls" and "heavy trace debugging" or loglevel 7 is "trace function calls", "packet-handling debug info", and "heavy trace debugging".

The possible values for number, hex value and log name are:

NumberHexLog nameLogging description
-10xFFFFanyenable all logging
00x0000-logging inhibited - no logging occurs including critical errors. Not recommended.
10x1tracetrace function calls
20x2packetsdebug packet handling
40x4argsheavy trace debugging
80x8connsconnection management
160x10BERprint out packets sent and received
320x20filtersearch filter processing
640x40configconfiguration file processing
1280x80ACLaccess control list processing
2560x100statsstats log connections/operations/results (default)
5120x200stats2stats log entries sent
10240x400shellprint communication with shell backends
20480x800parseentry parsing debugging
40960x1000cachecaching (unused)
81920x2000indexindexing (unused)
163840x4000syncprint syncrepl (replica) logging
327680x8000noneA misnomer - it will log messages that are not categorized - specifically including critical messages

Additional Information

The most common log level settings are  loglevel 4 and loglevel 5

logfile /path/to/ldap/log/file

To log the LDAP traffic to another file add this to syslog.conf:
logfile  /var/log/openldap.log

The log file must exist for Openldap to log to this file so create an empty file
touch /var/log/ldap.log