Setting eDirectory LDAP trace level using LDAP

Setting eDirectory LDAP trace level using LDAP

The eDirectory 8.8 LDAP Server component supports a number of different trace levels that can be used to troubleshoot LDAP connections and queries.

One can check the LDAP trace output using the ndstrace utility by enabling the +LDAP flag or by using DSTrace in iMonitor.

The normal way to change the trace level is to use the iManager LDAP Options, i.e. navigate to View LDAP Servers, select the server you want to trace, click the Tracing tab and change the tracing options. Normally you want to run without tracing enabling or with only "Critical Error Message" and "Non-critical Error Messages" enabled.

Another way if you don't have iManager available or if you don't want to use iManager is to use the ldapconfig utility. With that you are supposed to be able to change all LDAP Options that you can change using iManager.

For example to view the current trace level you can enter the following command:
ldapconfig get "LDAP Screen Level"

To set the trace level to none enter \!all (note that you must escape the ! character).
ldapconfig set "LDAP Screen Level=\!all"

To set the trace level to error and critical after setting it to none:
ldapconfig set "LDAP Screen Level=error|critical"

When you change the trace level using iManager it changes the ldapTraceLevel attribute on the LDAP Server object. If you look at the LDAP Server object using iMonitor it is called LDAP Screen Level.

Here is a list of valid integer combinations for the ldapTraceLevel attribute that I have tested with eDirectory 8.8 SP8.

The list was acquired by changing every trace value using iManager and noting the resulting value on the LDAP Server object.

Trace levelldapTraceLevel value
Informational Error Messages1
Connection Information8
Packet Dump or Decoding (in HEX format)16
Configuration Processing64
Messages from LDAP Extended Operations128
Non-critical Error Messages4096
Critical Error Messages8192
Additional connection and operation information (in HEX format)16384

For example, to enable tracing of Critical Error Messages (8192) and Non-critical Error Messages (4096) you would add the two numbers and get the number 12288 that you can enter in the ldapTraceLevel attribute using LDAP.

If you change the ldapTraceLevel attribute directly the changes will not take effect until the LDAP Server is refreshed.

iManager and ldapconfig trigger a refresh directly. You can wait for up to 30 minutes for the LDAP Server to refresh itself or you can trigger a refresh using ldapconfig:
ldapconfig -R

You can also write a simple standalone utility that triggers a refresh using the refreshLDAPServerRequest LDAP Extension.



Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2015-10-26 19:49
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.