Sun Java System Directory Server Enterprise Edition 6.1 Reference

Chapter 7 Directory Server Logging

For information about the types of logs used in Directory Server and for a description of the server logs, see the following sections:

Introduction to Logs

The following table summarizes the different logs used by the Directory Server.

Table 7–1 Logs Used by Directory Server




Retro change log 


Maintaining application compatibility with earlier versions of Directory Server. 

Transaction log 


Ensuring data integrity by committing each update operation to the transaction log on disk before the result code for the update operation is returned to the client application. 

When Directory Server accepts an update operation, it writes a log message about the operation to the transaction log. If the system crashes, Directory Server uses the transaction log to recover the database. 

Access log 

Flat file 

Evaluating directory use patterns, verifying configuration settings, diagnosing access problems. For information about access logs, see Access Logs.

Error log 

Flat file 

Debugging directory deployments. For information about error logs, see Error Logs.

Audit log 

Flat file 

Providing audit trails for security and data integrity. For information about audit logs, see Audit Logs.

Retro Changelog

The following server properties configure the retro change log.


Attributes to record when an entry is deleted


Whether the retro changelog is enabled


Attributes not to record when updates occur


Maximum age of records maintained


Maximum total records maintained


File system directory where the log is housed


Suffixes for which the log is maintained

See server(5dsconf) for details.

Transaction Log

The following server properties configure the transaction log.


How often Directory Server checkpoints the transaction log, ensures the entire database system is synchronized to disk, and cleans up transaction logs


Whether update operations are committed to the transaction log on disk before result codes are sent to clients


The buffer size for log information stored in memory until the buffer fills or the transaction commit forces the buffer to be written to disk


The path of the transaction log


How many updates are accumulated before being committed to the directory database

See server(5dsconf) for details.

Access, Error, and Audit Logs

Access logs, error logs and audit logs are flat files that contain information about operations. For information about how to view and configure logs, see Chapter 14, Directory Server Logging, in Sun Java System Directory Server Enterprise Edition 6.1 Administration Guide.

By default, the logs are stored in the directory instance-path/logs/.

Log files can be rotated on demand, or can be scheduled to be rotated on a specific day-of-the week and time of day, or when the log file exceeds a specified minimum size.

Old log files are stored in the same path with the same name and an extension that contains the date that the file was created, in the format filename.YYYYMMDD-hhmmss. The server also maintains a file with the same name and the .rotationinfo extension to record the creation dates of all log files.

For information about access logs, error logs and audit logs, see the following sections:

Access Logs

Access logs contain information about connections between an LDAP client and a directory server. A connection is a sequence of requests from the same client, and can contain the following components:

Error Logs

Error logs contain a unique identifier of the error, warning or information message, and a human readable message. Errors are defined according to the following severity.


The error is severe. Immediate action should be taken to avoid the loss or corruption of directory data.


The error is important. Action should be taken at some stage to prevent a severe error occurring in the future.


An informative message, usually describing server activity. No action is necessary.

Audit Logs

Audit logs contain records of all modifications to configuration or suffix entries. The modifications are written in LDIF format.

Audit logging is not enabled by default. To enable audit logging, use the procedure To Enable the Audit Log in Sun Java System Directory Server Enterprise Edition 6.1 Administration Guide.

Content of Access, Error, and Audit Logs

The remainder of this chapter describes each of the parts of the log files.

Time Stamp

Each line of an access log file begins with a timestamp of this format:[20/Dec/2006:11:39:51 -0700]. The time stamp, -0700 indicates the time difference in relation to GMT.

The format of the time stamp can vary according to your platform. The connection, closed, and abandon records appear individually. All other records appear in pairs, consisting of a request for service record followed by a result record. The record pairs usually, but not exclusively, appear on adjacent lines.

Connection Number

The connection number is represented by conn=value. Every external request is listed with an incremental connection number.

When conn=Internal the operation is an internal operation. To log internal access operations, specify an access logging level of acc-internal in the dsconf configuration attribute.

File Descriptor

The file descriptor is represented by fd=value.

Every connection from an external LDAP client to a directory server requires a file descriptor from the operating system. The file descriptor is taken from a pool of available file descriptors.

Slot Number

The slot number has the same meaning as file descriptor. Slot number is a legacy section of the access log and can be ignored.

Operation Number

The operation number is represented by op=value.

For a connection, all operation request and result pairs are given incremental operation numbers beginning with op=0. The operation number identifies the operation being performed.

When op=-1, the LDAP request for the connection was not issued by an external LDAP client, but was initiated internally.

Method Type

The method type is represented by method=value.

The method type indicates which bind method was used by the client. The method type can have one of the following values.


No authentication


Simple bind with user password


SASL bind using external authentication mechanism

LDAP Version

The LDAP version can be LDAPv2 or LDAPv3. The LDAP version gives the LDAP version number that the LDAP client used to communicate with the LDAP server.

Error Number

The error number is represented by err=number.

The error number provides the LDAP result code returned from the LDAP operation. The LDAP error number 0 means that the operation was successful. For a list of LDAP result codes refer to Result Codes in Log Files.

Tag Number

The tag number is represented by tag=value.

The tags are used internally for message decoding and are not intended for use outside. The following tags are used most often.


A client bind operation


The entry for which you were searching


The result from a search operation


The result from a modify operation


The result from an add operation


The result from a delete operation


The result from a modify DN operation


The result from a compare operation


A search reference when the entry you perform your search on holds a referral to the entry you require. Search references are expressed in terms of a referral.


A result from an extended operation

Number of Entries

The number of entries is represented by nentries=value.

The number of entries indicates the number of entries that matched an LDAP search request.

Elapsed Time

The elapsed time is represented by etime=value.

Elapsed time indicates the time that it took to perform the LDAP operation. An etime value of 0 means that the operation took milliseconds to perform.

To log the time in microseconds, specify an access logging level of acc-timing in the dsconf configuration attribute.

LDAP Request Type

The LDAP request type indicates the type of LDAP request made by the client. The following types of LDAP requests can be made:










Modify DN


Extended operation


Abandon operation

LDAP Response Type

The LDAP response type indicates the LDAP response being returned by the server. The following LDAP responses can be returned:






Referral or search reference

Unindexed Search Indicator

The unindexed search indicator is represented by notes=U.

In an unindexed search, the database is searched instead of the index file. Unindexed searches occur for the following reasons:

An unindexed search indicator is often accompanied by a large etime value because unindexed searches are usually more time consuming than indexed searches.

Extended Operation OID

An extended operation OID is represented by EXT oid="OID number". See extended-operations(5dsconf) for a list of supported extended operations.

Change Sequence Number in Log Files

The replication change sequence number is represented in log files by csn=value.

The presence of a change sequence number indicates that replication is enabled for this naming context.

Abandon Message

The abandon message is represented by ABANDON.

The presence of the abandon message indicates that an operation has been aborted. If the message ID succeeds in locating the operation that has been aborted, the log message reads as follows:

conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0

However, if the message ID does not succeed in locating the operation, or if the operation had already finished prior to the ABANDON request being sent, then the log message reads as follows:

conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2

The abandon message uses the following parameters:


Gives the number of entries sent before the operation was aborted


Gives the number of seconds that elapsed before the operation was aborted


Identifies the operation to be aborted. If the value is NOTFOUND, the operation to be aborted was either an unknown operation or already complete

Message ID

The message ID is represented by msgId=value.

The message ID is the LDAP operation identifier generated by the client. The message ID can have a different value to the operation number, but identifies the same operation. The message ID in an ABANDON operation specifies which client operation is being abandoned.

The operation number starts counting at 0. However, in many client implementations the message ID number starts counting at 1. This explains why the message ID is frequently equal to the operation number plus 1.

SASL Multi-Stage Bind Logging

Directory Server logs each stage in the multi stage bind process and, where appropriate, the progress statement SASL bind in progress is included.

The DN used for access control decisions is logged in the BIND result line and not in the bind request line.

conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=myname,dc=example,dc=com"

For SASL binds, the DN value displayed in the BIND request line is not used by the server and is, therefore, not relevant. However, for SASL binds, the authenticated DN must be used for audit purposes. Therefore, the authenticated DN must be clearly logged. Having the authenticated DN logged in the BIND result line avoids any confusion as to which DN is which.

Options Description

The options description, options=persistent, indicates that a persistent search is being performed. Persistent searches can be used as a form of monitoring and can be configured to return changes to given configurations. The access log distinguishes between persistent and regular searches.

Connection Codes in Log Files

A connection code is included in the closing message of a log file. The connection code provides additional information about why the connection was closed. The following table describes the common connection codes.

Table 7–2 Summary of Connection Codes

Connection Code 



The client has closed the connection without performing an UNBIND. 


This connection code can have one of the following causes: 

  • The client has closed the connection without performing an UNBIND.

  • The BER element was corrupt. If BER elements, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log. BER elements can be corrupted by physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results.


The BER element is longer than the nsslapd-maxbersize attribute value.


A corrupt BER tag was encountered. 


The server failed to flush data response back to client. This code can occur when the client closes the connection to the server, before the server finished sending data to the client. 


The client connection was closed by a custom plug-in. None of the plug-ins provided by Directory Server close a connection. 


A closed connection or corrupt connection has been detected. 


The server closed the client connection because it was idle for longer than the idle-timeout server property.


The server closed the client connection because it was stalled for longer than the nsslapd-ioblocktimeout attribute value. This code can occur for the following reasons:

  • There is a network problem.

  • The server sends a lot of data to the client but the client does not read the data. As a result, the server’s transmit buffer becomes full.


The server closed the client connection because client sent an UNBIND request. 

Result Codes in Log Files

The following tables summarizes the LDAP result codes generated by an LDAP server and an LDAP client.

Table 7–3 Summary of Result Codes for LDAP Servers

Result Code 



Operations error 

Protocol error 

Time limit exceeded 

Size limit exceeded 

Compare false 

Compare true 

Authentication method not supported 

Strong authentication required 

Partial results and referral received 


Referral received 


Administrative limit exceeded 


Unavailable critical extension 


Confidentiality required 


SASL bind in progress 


No such attribute 


Undefined attribute type 


Inappropriate matching 


Constraint violation 


Type or value exists 


Invalid syntax 


No such object 


Alias problem 


Invalid DN syntax 


Object is a leaf 


Alias de-referencing problem 


Inappropriate authentication 


Invalid credentials 


Insufficient access 


Server is busy 


Server is unavailable 


Server is unwilling to perform 


Loop detected 


Naming violation 


Object class violation 


Operation not permitted on a non-leaf entry 


Operation not permitted on a RDN 


Entry already exists 


Cannot modify object class 


Results too large 


Affects multiple servers 


Virtual list view error 

Table 7–4 Summary of Result Codes for LDAP Clients

Result Code 



Unknown error 


Cannot contact LDAP server 


Local error 


Encoding error 


Decoding error 


Timed out 


Unknown authentication method 


Bad search filter 


User cancelled operation 


Bad parameter to an LDAP routine 


Out of memory 


Cannot connect to the LDAP server 


Not supported by this version of LDAP 


Requested LDAP control not found 


No results returned 


Additional results to return 


Client detected loop 


Referral hop limit exceeded