The eDirectory 8.8 LDAP Server component supports a number of different trace levels that can be used to troubleshoot LDAP connections and queries.
One can check the LDAP trace output using the ndstrace utility by enabling the +LDAP flag or by using DSTrace in iMonitor.
The normal way to change the trace level is to use the iManager LDAP Options, i.e. navigate to View LDAP Servers, select the server you want to trace, click the Tracing tab and change the tracing options. Normally you want to run without tracing enabling or with only “Critical Error Message” and “Non-critical Error Messages” enabled.
Another way if you don’t have iManager available or if you don’t want to use iManager is to use the ldapconfig utility. With that you are supposed to be able to change all LDAP Options that you can change using iManager.
For example to view the current trace level you can enter the following command:
ldapconfig get "LDAP Screen Level"
To set the trace level to none enter \!all (note that you must escape the ! character).
ldapconfig set "LDAP Screen Level=\!all"
To set the trace level to error and critical after setting it to none:
ldapconfig set "LDAP Screen Level=error|critical"
When you change the trace level using iManager it changes the ldapTraceLevel attribute on the LDAP Server object. If you look at the LDAP Server object using iMonitor it is called LDAP Screen Level.
Here is a list of valid integer combinations for the ldapTraceLevel attribute that I have tested with eDirectory 8.8 SP8.
The list was acquired by changing every trace value using iManager and noting the resulting value on the LDAP Server object.
|Trace level||ldapTraceLevel value|
|Informational Error Messages||1|
|Packet Dump or Decoding (in HEX format)||16|
|Messages from LDAP Extended Operations||128|
|Non-critical Error Messages||4096|
|Critical Error Messages||8192|
|Additional connection and operation information (in HEX format)||16384|
For example, to enable tracing of Critical Error Messages (8192) and Non-critical Error Messages (4096) you would add the two numbers and get the number 12288 that you can enter in the ldapTraceLevel attribute using LDAP.
If you change the ldapTraceLevel attribute directly the changes will not take effect until the LDAP Server is refreshed.
iManager and ldapconfig trigger a refresh directly. You can wait for up to 30 minutes for the LDAP Server to refresh itself or you can trigger a refresh using ldapconfig:
You can also write a simple standalone utility that triggers a refresh using the refreshLDAPServerRequest LDAP Extension.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.