LDAP Useful debugging

How to enable ldap debugging so that only the LDAP Operations can be
traced like ldapsearch , modify , add and delete etc

Check the LDAP debug log level by running the following command ,

ldapsearch -p -h -D "cn=orcladmin" -w -b "" -s base "objectclass=*" orcldebugflag

This ideally should give the result as "0" , if the debugging is not enabled.

for example ,
orcldebugflag=0

ldapsearch -p -h -D "cn=orcladmin" -w -b "" -s base "objectclass=*" orcldebugop

This ideally should give the result as "0" , if the debugging is not enabled.

for example ,
orcldebugflag=0



For 9.0.4 onwards


cat debug.ldif

--cut here---
dn:
changetype: modify
replace: orcldebugop
orcldebugop: 511

dn:
changetype: modify
replace: orcldebugflag
orcldebugflag: 8388609
----cut here-------

ldapmodify -p -h -D "cn=orcladmin" -w -f debug.ldif

1 Heavy trace debugging
128 Debug packet handling
256 Connection management, related to network activities
512 Search filter processing
1024 Entry parsing
2048 Configuration file processing
8192 Access control list processing
491520 Log of communication with the back end - that is with the database
524288 Schema related operations
4194304 Replication specific operations
8388608 Log of entries, operations and results for each connection
16777216 Trace function call arguments
67108863 All possible operations/data


The value 8388609 is dertmined using the formula

8388609 = 8388608 (Log of entries, operations and results for each connection)+ 1 (Heavy trace debugging)

For the ACL debugging you can use the loglevel as 8396801 (8192 (Access control list processing) +
8388608 (Log of entries, operations and results for each connection)+ 1 (Heavy trace debugging) )

debug.ldif

--cut here---
dn:
changetype: modify
replace: orcldebugop
orcldebugop: 0

dn:
changetype: modify
replace: orcldebugflag
orcldebugflag: 0
----cut here-------

ldapmodify -p -h -D "cn=orcladmin" -w -f debug.ldif

Please note that this operations may not require restart the OID , but to be
on the safer side , restart the OID after this.

You can check the latest log files from the directory $ORACLE_HOME/ldap/log directory.

For the version 9.0.2.3


Check the LDAP debug log level by running the following command ,

ldapsearch -p -h -D "cn=orcladmin" -w -b "" -s base "objectclass=*" orcldebugflag

This ideally should give the result as "0" , if the debugging is not enabled.

for example ,
orcldebugflag=0


To enable the debug trace so that only ldap operations can be traced ,

cat debug.ldif
--------------

---Cut Here ---
dn:
changetype: modify
replace: orcldebugflag
orcldebugflag: 260
---- End ----------


Then apply it to OID:
ldapmodify -p -h -D "cn=orcladmin" -w -f debug.ldif

The available DEBUG-LEVELS are:
1 = Trace function calls
2 = Debug packet handling
4 = Heavy trace debugging
8 = Connection Management
16 = Print out packets sent and received
32 = Search filter processing
64 = Configuration file processsing
128 = Access control list processing
256 = Stats log connections/operations/results
512 = Stats log entries sent
1024 = Print communication with the back-end
2048 = Print entry parsing debugging
4096 = Schema-related debugging
32768 = Replication Specific debugging
65535 = Enable all debugging

260 is calculated based on this formula

260 = 256 ( Stats log connections/operations/results) + 4 (Heavy trace debugging)

For the ACL debugging you can use the loglevel as 388 (128 (Access control list processing) +
256 ( Stats log connections/operations/results) + 4 (Heavy trace debugging) )

To revert back the tracing run the following commands

---Cut Here ---
dn:
changetype: modify
replace: orcldebugflag
orcldebugflag: 0
---- End ----------


Then apply it to OID:
ldapmodify -p -h -D "cn=orcladmin" -w -f debug.ldif

You can check the latest log files from the directory $ORACLE_HOME/ldap/log directory.