Openldap Debug Logging and Debugging Levels
Learn how to effectively configure and utilize OpenLDAP debug logging to troubleshoot and optimize your LDAP server performance.
Updated at June 20th, 2025
Table of Contents
Debug logging is useful for troubleshooting slapd issues, especially at startup where regular slapd logging via syslog loses important information.
When running in debug mode, log output is printed to stderr instead of writing to the log file via syslog.
Starting/stopping in Debug Mode
To run in debug mode, slapd must be started from the command line with the "-d parameter.
# Starting in debug mode from the command line
/opt/symas/lib/slapd -f /opt/symas/etc/openldap/slapd.conf -h "ldap:///" -d <Debug Level>
-or-
/opt/symas/lib/slapd -F /opt/symas/etc/openldap/slapd.d -h "ldap:///" -d <Debug Level>Note that if the logfile directive is used in the configuration, the logfile-only directive must be set to FALSE.
slapd will run for as long as the terminal session is alive.
To stop slapd, enter Ctrl-C.
For more options on starting slapd from the command line, see the slapd man page.
Debug Levels
There are many logging levels for different purposes. Log levels may be configured using their names, as integer values or as hex values.
When setting log levels using names on the command line, define them as a comma separated list:
/opt/symas/lib/slapd -h "ldap:///" -d sync,statsWhen setting log levels using integer or hex values, you can add the values together:
# Using levels stats (256) and sync (16384) as integers
/opt/symas/lib/slapd -h "ldap:///" -d 16640
# Using hex values: levels stats (0x100) and sync (0x4000)
/opt/symas/lib/slapd -h "ldap:///" -d 0x4100Debugging levels:
| Name | Int. | Hex | Description |
|---|---|---|---|
| any | -1 | Enables logging at all levels | |
| none | 0 | No logging occurs | |
| trace | 1 | 0x1 | Trace function calls |
| packets | 2 | 0x2 | Debug packet handling |
| args | 4 | 0x4 | Heavy trace debugging (function args) |
| conns | 8 | 0x8 | Connection management |
| BER | 16 | 0x10 | Print out packets sent and received |
| filter | 32 | 0x20 | Search filter processing |
| config | 64 | 0x40 | Configuration file processing |
| ACL | 128 | 0x80 | Access control list processing |
| stats | 256 | 0x100 | Connections, LDAP operations, results (recommended) |
| stats2 | 512 | 0x200 | Stats log entries sent |
| shell | 1024 | 0x400 | Print communication with shell backends |
| parse | 2048 | 0x800 | Entry parsing |
| sync | 16384 | 0x4000 | LDAPSync replication |
| none | 3278 | 0x8000 | Only messages that get logged whatever log level is set |
Saving Debug Output
When running in debug mode, all debug messages are printed to stderr in the terminal. To save the messages, redirect stderr to a file. When redirecting, no log output will be seen in the terminal:
/opt/symas/lib/slapd -h "ldap:///" -d 16640 > logfile.txt 2>&1If you want to watch the debug messages on the terminal and save the messages to a file, use the tee command:
/opt/symas/lib/slapd -h "ldap:///" -d 16640 2>&1 | tee logfile.txt