OpenLDAP debug level

The stand-alone LDAP daemon slapd from OpenLDAP can log debug messages, which might be helpful when analyzing problems.

Configuration

The debug-level can be configured at multiple locations:

  • when starting the daemon on the command line by using the option -d, e.g. slapd -d $level
  • via the configuration file /etc/ldap/slapd.conf using the statement loglevel, e.g. loglevel $level
  • on UCS systems via the UCR variable ldap/server/debug, e.g. ucr set ldap/server/debug=$level
  • dynamically during runtime by using ldapmodify on cn=config - see https://help.univention.com/t/q-a-mehr-debug-infos-innerhalb-des-ldap/14795

Log-level / categories / sub-system

Actually the debug-level is not a level (error, warning, info, debug, …), but a bit-mask of categories or sub-systems:

dec hex name description
1 0x1 trace trace function calls
2 0x2 packets debug packet handling
4 0x4 args heavy trace debugging (function args)
8 0x8 conns connection management
16 0x10 BER print out packets sent and received
32 0x20 filter search filter processing
64 0x40 config configuration file processing
128 0x80 ACL access control list processing
256 0x100 stats connections, LDAP operations, results (recommended)
512 0x200 stats2 stats log entries sent
1024 0x400 shell print communication with shell backends
2048 0x800 parse entry parsing
16384 0x4000 sync LDAPSync replication
32768 0x8000 none only messages that get logged whatever log level is set

none is special in so far as it disables all categories, but still prints important messages. By default they are printed always, but even they may be disabled by setting the log-level to 0 instead.

UCS sets none by default, which only prints the important messages.

OpenLDAP recommends stats, which will log all connections and LDAP operations performed over them. This is a good starting point for diagnosing issues. Be warned that on a heavily used server this might already create many messages, so make sure to turn it off after debugging. Otherwise this might fill up the disk very fast.

Multiple values can be combined by or-ing together their decimal or hexadecimal values, or by specifying their values or names as a list of space separated items.

Helpful command

  1. Get log level from running slapd:

    ldapsearch -xLLLo ldif-wrap=no -H ldapi:/// -s base -b cn=config olcLogLevel
    
  2. Set log level for running slapd:

    printf 'dn: cn=config\nchangetype: modify\nreplace: olcLogLevel\nolcLogLevel: %s\n\n' 256 |
    ldapmodify -xH ldapi:///
    
  3. Get log messages from systemd journal:

    journalctl  -u slapd.service
    
  4. Get log level as configured via UCR:

    ucr get ldap/debug/level
    
  5. Set log level and restart LDAP server for that change to take effect:

    ucr set ldap/debug/level=none
    systemctl restart slapd.service