The stand-alone LDAP daemon slapd from OpenLDAP can log debug messages, which might be helpful when analyzing problems.
Configuration
The debug-level can be configured at multiple locations:
- when starting the daemon on the command line by using the option
-d, e.g.slapd -d $level - via the configuration file
/etc/ldap/slapd.confusing the statementloglevel, e.g.loglevel $level - on UCS systems via the UCR variable
ldap/server/debug, e.g.ucr set ldap/server/debug=$level - dynamically during runtime by using
ldapmodifyoncn=config- see https://help.univention.com/t/q-a-mehr-debug-infos-innerhalb-des-ldap/14795
Log-level / categories / sub-system
Actually the debug-level is not a level (error, warning, info, debug, …), but a bit-mask of categories or sub-systems:
| dec | hex | name | description |
|---|---|---|---|
| 1 | 0x1 | trace | trace function calls |
| 2 | 0x2 | packets | debug packet handling |
| 4 | 0x4 | args | heavy trace debugging (function args) |
| 8 | 0x8 | conns | connection management |
| 16 | 0x10 | BER | print out packets sent and received |
| 32 | 0x20 | filter | search filter processing |
| 64 | 0x40 | config | configuration file processing |
| 128 | 0x80 | ACL | access control list processing |
| 256 | 0x100 | stats | connections, LDAP operations, results (OpenLDAP recommended) |
| 512 | 0x200 | stats2 | stats log entries sent |
| 1024 | 0x400 | shell | print communication with shell backends |
| 2048 | 0x800 | parse | entry parsing |
| 16384 | 0x4000 | sync | LDAPSync replication |
| 32768 | 0x8000 | none | only messages that get logged whatever log level is set (UCS default) |
none is special in so far as it disables all categories, but still prints important messages. By default they are printed always, but even they may be disabled by setting the log-level to 0 instead.
UCS sets none by default, which only prints the important messages.
OpenLDAP recommends stats, which will log all connections and LDAP operations performed over them. This is a good starting point for diagnosing issues. Be warned that on a heavily used server this might already create many messages, so make sure to turn it off after debugging. Otherwise this might fill up the disk very fast.
Multiple values can be combined by or-ing together their decimal or hexadecimal values, or by specifying their values or names as a list of space separated items.
Helpful command
-
Get log level from running
slapd:ldapsearch -xLLLo ldif-wrap=no -H ldapi:/// -s base -b cn=config olcLogLevel -
Set log level for running
slapd:printf 'dn: cn=config\nchangetype: modify\nreplace: olcLogLevel\nolcLogLevel: %s\n\n' 256 | ldapmodify -xH ldapi:/// -
Get log messages from
systemd journal:journalctl -u slapd.service -
Get log level as configured via UCR:
ucr get ldap/debug/level -
Set log level and restart LDAP server for that change to take effect:
ucr set ldap/debug/level=none systemctl restart slapd.service