Netscape Directory Server Configuration, Command, and File Reference: Chapter 5Access Log and Connection Code Reference

Configuration, Command, and File Reference
Netscape Directory Server

Chapter 5 Access Log and Connection Code Reference

Netscape Directory Server (Directory Server) provides you with logs to help you monitor directory activity. Monitoring allows you to quickly detect and remedy failures and where done proactively, anticipate and resolve potential problems before they result in failure or poor performance. To monitor your directory effectively, you need to understand the structure and content of your logs.

Note that this chapter does not provide an exhaustive list of error messages. However, the information presented in this chapter will serve as a a good starting point for common problems. This chapter includes the following sections:

Access Log Content

Common Connection Codes

LDAP Result Codes

Access Log Content

The Directory Server access log contains detailed information about client connections to the directory. A connection is a sequence of requests from the same client with the following structure:

Connection record which gives the connection index and the IP address of the client

Bind record

Bind result record

Sequence of operation request/operation result pairs of records (or individual records in the case of connection, closed and abandon records)

Unbind record

Closed record

Every line begins with a timestamp - [21/Apr/2001:11:39:51 -0700]- the format of which may vary depending on which platform you are using, where -0700 indicates the time difference in relation to GMT. Apart from the connection, closed and abandon records, which appear individually, all records appear in pairs, consisting of a request for service record followed by a result record. These two records frequently appear on adjacent lines but this is not always the case.

This section presents the different levels of access logging available with Directory Server, then describes the default access logging content and ends with a description of the additional access logging level content. This section is divided into the following parts:

Access Logging Levels

Default Access Logging Content

Access Log Content for Additional Access Logging Levels

Note

Directory Server provides a script, which can analyze access logs to extract usage statistics and count the occurrences of significant events. For details about this script, see "logconv.pl (Log converter)".

Access Logging Levels

Different levels of access log logging exist and by changing the value of the nsslapd-accesslog-level configuration attribute (see "nsslapd-accesslog-level"), you can select the exact type of logging you require. The default level of logging is level 256, which logs access to an entry but you can choose from the following logging levels, combining more than one level to suit your needs:

0 = No access logging

4 = Logging for internal access operations

256 = Logging for access to an entry

512 = Logging for access to an entry and referrals

131072 = Precise timing of operation duration. This gives microsecond resolution for the Elapsed Time item in the access log.

For example, if you want to log internal access operations, entry access, and referrals, you would insert a value of 516 (512+4) in the nsslapd-accesslog-level configuration attribute. For further information on other access log configuration attributes, see "Core Server Configuration Attributes Reference"."

Default Access Logging Content

This section describes the access log content in detail based on the default access logging level extract in Code Example 5-1.

Code Example 5-1    Access Log Extract with Default Access Logging Level (level 256)

[21/Apr/2001:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139

[21/Apr/2001:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3

[21/Apr/2001:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0

[21/Apr/2001:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"

[21/Apr/2001:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=1000 notes=U

[21/Apr/2001:11:39:51 -0700] conn=11 op=2 UNBIND

[21/Apr/2001:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1

[21/Apr/2001:11:39:52 -0700] conn=12 fd=634 slot=634 connection from 207.1.153.51 to 192.18.122.139

[21/Apr/2001:11:39:52 -0700] conn=12 op=0 BIND dn="cn=Directory Manager" method=128 version=3

[21/Apr/2001:11:39:52 -0700] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0

[21/Apr/2001:11:39:52 -0700] conn=12 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"

[21/Apr/2001:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0

[21/Apr/2001:11:39:52 -0700] conn=12 op=3 UNBIND

[21/Apr/2001:11:39:52 -0700] conn=12 op=3 fd=634 closed - U1

[21/Apr/2001:11:39:53 -0700] conn=13 fd=659 slot=659 connection from 207.1.153.51 to 192.18.122.139

[21/Apr/2001:11:39:53 -0700] conn=13 op=0 BIND dn="cn=Directory Manager" method=128 version=3

[21/Apr/2001:11:39:53 -0700] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0

[21/Apr/2001:11:39:53 -0700] conn=13 op=1 EXT oid="2.16.840.1.113730.3.5.3"

[21/Apr/2001:11:39:53 -0700] conn=13 op=1 RESULT err=0 tag=120 nentries=0 etime=0

21/Apr/2001:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51 MET DST 2001, dc=example,dc=com"

[21/Apr/2001:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000

[21/Apr/2001:11:39:53 -0700] conn=13 op=3 EXT oid="2.16.840.1.113730.3.5.5"

[21/Apr/2001:11:39:53 -0700] conn=13 op=3 RESULT err=0 tag=120 nentries=0 etime=0

[21/Apr/2001:11:39:53 -0700] conn=13 op=4 UNBIND

[21/Apr/2001:11:39:53 -0700] conn=13 op=4 fd=659 closed - U1

[21/Apr/2001:11:39:55 -0700] conn=14 fd=700 slot=700 connection from 207.1.153.51 to 192.18.122.139

[21/Apr/2001:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl
version=3 mech=DIGEST-MD5

[21/Apr/2001:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress

[21/Apr/2001:11:39:55 -0700] conn=14 op=1 BIND
dn="uid=jdoe,dc=example,dc=com" method=sasl version=3 mech=DIGEST-MD5

[21/Apr/2001:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"

[21/Apr/2001:11:39:55 -0700] conn=14 op=2 UNBIND

[21/Apr/2001:11:39:53 -0700] conn=14 op=2 fd=700 closed - U1

Connection Number

Every external LDAP request is listed with an incremental connection number, in this case conn=11 or conn=28, starting at conn=0 immediately after server startup. Internal LDAP requests are not recorded in the access log by default. To activate the logging of internal access operations, specify access logging level 4 on the nsslapd-accesslog-level configuration attribute (see "nsslapd-accesslog-level").

File Descriptor

Every connection from an external LDAP client to Directory Server requires a file descriptor, or socket descriptor from the operating system in this case fd=608. fd=608 indicates that it was file descriptor number 608 out of the total pool of available file descriptors which was used.

Slot Number

The slot number, in this case slot=608, is a legacy part of the access log which has the same meaning as file descriptor. Ignore this part of the access log.

Operation Number

To process a given LDAP request, Directory Server will perform the required series of operations. For a given connection, all operation request and operation result pairs are given incremental operation numbers beginning with op=0 to identify the distinct operations being performed. In Code Example 5-1 we have op=0 for the bind operation request and result pair, then op=1 for the LDAP search request and result pair, and so on. Should you see op=-1 in the access log it generally means that the LDAP request for this connection was not issued by an external LDAP client, but instead initiated internally.

Method Type

The method number, in this case method=128, indicates which LDAPv3 bind method was used by the client. There are three possible bind method values:

0 = no authentication

128 = simple bind with user password

sasl = SASL bind using external authentication mechanism

Version Number

The version number, in this case, version=3, indicates the LDAP version number (either LDAPv2 or LDAPv3) that the LDAP client used to communicate with the LDAP server.

Error Number

The error number, in this case err=0, provides the LDAP result code returned from the LDAP operation performed. The LDAP error number 0 means that the operation was successful. For a more comprehensive list of LDAP result codes see "LDAP Result Codes".

Tag Number

The tag number, in this case tag=97, indicates the type of result returned, which is almost always a reflection of the type of operation performed. The tags used are the BER tags from the LDAP protocol. Commonly used tags include:

tag=97 for a result from a client bind operation

tag=100 indicates the actual entry for which you were searching

tag=101 for a result from a search operation

tag=103 for a result from a modify operation

tag=105 for a result from an add operation

tag=107 for a result from delete operation

tag=109 for a result from a moddn operation

tag=111 for a result from a compare operation

tag=115 indicates a search reference when the entry you perform your search on holds a referral to the entry you require. Search references are expressed in terms of a referral.

tag=120 for a result from an extended operation

Note

tag=100 and tag=115 are not result tags as such and so it is unlikely that you will see them in your access log.

Number of Entries

The number of entries, in this case nentries=0, indicates the number of entries that were found matching the LDAP client's request.

Elapsed Time

Elapsed time, in this case etime=1000, indicates the amount of time (in seconds) that it took the directory server to perform the LDAP operation. An etime value of 0 means that the operation actually took milliseconds to perform. If you want to have microsecond resolution for this item in the access log, enter a value of 131328 (256+131072) in the nsslapd-accesslog-level configuration attribute.

LDAP Request Type

The LDAP request type indicates the type of LDAP request being issued by the LDAP client. Possible values are:

SRCH = search

MOD = modify

DEL = delete

ADD = add

MODDN = moddn

EXT = extended operation

ABANDON = abandon operation

Note that if the LDAP request resulted in sorting of entries, then you will see SORT serialno followed by the number of candidate entries that were sorted. See the bold text in this example:

[04/May/2002:15:51:46 -0700] conn=114 op=68 SORT serialno (1)
The number enclosed in parentheses specifies the number of candidate entries that were sorted, which, in this case is 1.

LDAP Response Type

The LDAP response type indicates the LDAP response being issued by the LDAP client. Possible values are:

RESULT = result

ENTRY = entry

REFERRAL = referral or search reference

Unindexed Search Indicator

The unindexed search indicator, notes=U, indicates that the search performed was unindexed, which means that the database itself had to be directly searched instead of the index file. Unindexed searches occur either when the All IDs Threshold was reached within the index file used for the search, when no index file existed or when the index file was not configured in the way required by the search.

Note

An unindexed search indicator is often accompanied by a large etime value, as unindexed searches are generally more time consuming.

VLV-Related Entries

When a search involves virtual list views (VLVs), appropriate entries are logged in the access log file. Similar to the other entries, VLV-specific entries show the request and response information side by side, like this:

VLV RequestInformation ResponseInformation

where RequestInformation is of the form: beforeCount:afterCount:index:contentCount

and ResponseInformation is of the form: targetPosition:contentCount (resultCode)

If the client uses a position-by-value VLV request, the format for the first part, the request information, would be: beforeCount:afterCount:value

The example below shows VLV-specific entries in bold:

[07/May/2002:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)" scope=2 filter="(uid=*)"
[07/May/2002:11:43:29 -0700] conn=877 op=8530 SORT uid
[07/May/2002:11:43:29 -0700] conn=877 op=8530 VLV 0:5:0210 10:5397 (0)
[07/May/2002:11:43:29 -0700] conn=877 op=8530 RESULT err=0 tag=101 nentries=1 etime=0
In the above example, the first part, 0:5:0210, is the VLV request information:

beforeCount = 0
afterCount = 5
value = 0210

and the second part, 10:5397 (0), is the VLV response information:

targetPosition = 10
contentCount = 5397
(resultCode) = (0)

Search Scope

The entry scope=n defines the scope of the search performed, and n can have a value of 0, 1, or 2.

0 = base search

1 = one-level search

2 = subtree search

For more information about search scopes, see section "Using ldapsearch" in Appendix B, "Finding Directory Entries" of Netscape Directory Server Administrator's Guide.

Extended Operation OID

An extended operation OID, in this case either EXT oid="2.16.840.1.113730.3.5.3" or EXT oid="2.16.840.1.113730.3.5.5", provides the OID of the extended operation being performed. Table 5-1 provides the list of LDAPv3 extended operations and their OIDs supported in Directory Server.

Table 5-1    LDAPv3 Extended Operations supported by Directory Server

Extended Operation Name

Description

OID

Directory Server 6.x Start Replication Request

Sent by a replication initiator to indicate that a replication session is requested.

2.16.840.1.113730.3.5.3

Directory Server 6.x Replication Response

Sent by a replication responder in response to a Start Replication Request Extended Operation or an End Replication Request Extended Operation.

2.16.840.1.113730.3.5.4

Directory Server 6.x End Replication Request

Sent to indicate that a replication session is to be terminated.

2.16.840.1.113730.3.5.5

Directory Server 6.x Replication Entry Request

Carries an entry, along with its state information (csn and UniqueIdentifier) and is used to perform a replica initialization.

2.16.840.1.113730.3.5.6

Directory Server 6.x Bulk Import Start

Sent by the client to request a bulk import together with the suffix being imported to and sent by the server to indicate that the bulk import may begin.

2.16.840.1.113730.3.5.7

Directory Server 6.x Bulk Import Finished

Sent by the client to signal the end of a bulk import and sent by the server to acknowledge it.

2.16.840.1.113730.3.5.8

Change Sequence Number

The change sequence number, in this case csn=3b4c8cfb000000030000, is the replication change sequence number, thus indicating that replication is enabled on this particular naming context.

Abandon Message

The abandon message, in this case, [21/Apr/2001:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0, indicates that an operation has been aborted, where nentries=0 indicates the number of entries sent before the operation was aborted, etime=0 value indicates how much time (in seconds) had elapsed, and targetop=1 corresponds to an operation value from a previously initiated operation (that appears earlier in the access log).

There are two possible log ABANDON messages depending on whether the message ID succeeds in locating which operation was to be aborted or not. If the message ID succeeds in locating the operation (the targetop) then the log will read as above. However, if the message ID does not succeed in locating the operation or if the operation had already finished prior to the ABANDON request being sent, then the log will read as follows:

[21/Apr/2001:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2

where targetop=NOTFOUND indicates the operation to be aborted was either an unknown operation or already complete.

Message ID

The message ID, in this case msgid=2, is the LDAP operation identifier, as generated by the LDAP SDK client. The message ID may have a different value to the Netscape Directory Server Operation Number, but identifies the same operation. The message ID is used in the context of an ABANDON operation and tells the user which client operation is being abandoned.

Note

The Directory Server operation number starts counting at 0 and in the majority of LDAP SDK/client implementations the message ID number starts counting at 1, which explains why the message ID is frequently equal to the Directory Server operation number plus 1.

SASL Multi-Stage Bind Logging

Directory Server 6.x logging for multi-stage binds is now more explicit. Each stage in the bind process is now logged and where appropriate the progress statement SASL bind in progress is included.

Note

Note also that the authenticated DN (the DN used for access control decisions) is now logged in the BIND result line as opposed to the bind request line as was previously the case:
[21/Apr/2001:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"

For SASL binds, the DN value displayed in the BIND request line is not used by the server and as a consequence not relevant. However, given that the authenticated DN is the DN which, for SASL binds, must be used for audit purposes, it is essential that this be clearly logged. Having this authenticated DN logged in the BIND result line avoids any confusion as to which DN is which.

Access Log Content for Additional Access Logging Levels

This section presents the additional access logging levels available in the Directory Server access log. In Code Example 5-2 access logging level 4 is enabled which logs internal operations.

Code Example 5-2    Access Log Extract with Internal Access Operations Level (Level 4)

[12/Jul/2001:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree"attrs="nsslapd-referral" options=persistent

12/Jul/2001:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0

[12/Jul/2001:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"
scope=0 filter="objectclass=nsMappingTree" attrs="nsslapd-state"

[12/Jul/2001:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0

Access log level 4 enables logging for internal operations which log the following items in addition to the details of the search being performed, including search base, scope, filter, and requested search attributes.

In Code Example 5-3, access logging level 512 is enabled which logs access to entries and referrals. In this extract, 6 entries and 1 referral are returned in response to the search request, which is shown in bold.

Code Example 5-3    Access Log Extract with Entry Access and Referral Logging Level (Level 512)

[12/Jul/2001:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Special Users,dc=example,dc=com"

[12/Jul/2001:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=Accounting Managers,ou=groups,dc=example,dc=com"

[12/Jul/2001:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=HR Managers,ou=groups,dc=example,dc=com"

[12/Jul/2001:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=QA Managers,ou=groups,dc=example,dc=com"

Connection Description

The connection description, in this case conn=Internal, indicates that the connection is an internal connection. The operation number op=-1 also indicates that the operation was initiated internally.

Options Description

The options description, in this case options=persistent, indicates that a persistent search is being performed. Persistent searches can be used as a form of monitoring and configured to return changes to given configurations as and when changes occur.

Note

Directory Server access log now distinguishes between persistent and regular searches, which was not the case for previous Directory Server releases.

In Code Example 5-4 both access logging level 512 and 4 are enabled, which results in both internal access operations, as well as entry access and referrals being logged.

Code Example 5-4    Access Log Extract with Internal Access Operation, Entry Access and Referral Logging Levels (Levels 4+512)

[12/Jul/2001:16:45:46 +0200] conn=Internal op=-1 ENTRY dn="cn=\22dc=example,dc=com\22, cn=mapping tree, cn=config"

[12/Jul/2001:16:45:46 +0200] conn=Internal op=-1 ENTRY dn="cn=\22dc=example,dc=com\22, cn=mapping tree, cn=config"

Common Connection Codes

A connection code is a code which is added to the closed log message to provide additional information related to the connection closure. Common connection codes include:

A1 = Client aborts the connection.

B1 = Corrupt BER tag encountered.

If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log. BER tags can be corrupted due to physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results.

B2 = BER tag is longer than the nsslapd-maxbersize attribute value. For further information about this configuration attribute see "nsslapd-maxbersize (Maximum Message Size)".

B3 = Corrupt BER tag encountered

B4 = Server failed to flush data response back to client

P2 = Closed or corrupt connection has been detected.

T1 = Client does not receive a result within the specified idletimeout period

T2 = Server closed connection after ioblocktimeout period was exceeded

U1 = Connection closed by server after client sends an UNBIND request. The server will always close the connection when it sees an UNBIND request.

LDAP Result Codes

LDAP has a set of result codes that it is useful to be familiar with.

Table 5-2    LDAP Result Codes

Result Code

Defined Value

0

SUCCESS

1

OPERATION_ERROR

2

PROTOCOL_ERROR

3

TIME_LIMIT_EXCEEDED

4

SIZE_LIMIT_EXCEEDED

5

COMPARE_FALSE

6

COMPARE_TRUE

7

AUTH_METHOD_NOT_SUPPORTED

8

STRONG_AUTH_REQUIRED

9

LDAP_PARTIAL_RESULTS

10

REFERRAL (LDAP v3)

11

ADMIN_LIMIT_EXCEEDED (LDAP v3)

12

UNAVAILABLE_CRITICAL_EXTENSION (LDAP v3)

13

CONFIDENTIALITY_REQUIRED (LDAP v3)

14

SASL_BIND_IN_PROGRESS

16

NO_SUCH_ATTRIBUTE

17

UNDEFINED_ATTRIBUTE_TYPE

18

INAPPROPRIATE_MATCHING

19

CONSTRAINT_VIOLATION

20

ATTRIBUTE_OR_VALUE_EXISTS

21

INVALID_ATTRIBUTE_SYNTAX

32

NO_SUCH_OBJECT

33

ALIAS_PROBLEM

34

INVALID_DN_SYNTAX

35

IS_LEAF

36

ALIAS_DEREFERENCING_PROBLEM

48

INAPPROPRIATE_AUTHENTICATION

49

INVALID_CREDENTIALS

50

INSUFFICIENT_ACCESS_RIGHTS

51

BUSY

52

UNAVAILABLE

53

UNWILLING_TO_PERFORM

54

LOOP_DEFECT

64

NAMING_VIOLATION

65

OBJECT_CLASS_VIOLATION

66

NOT_ALLOWED_ON_NONLEAF

67

NOT_ALLOWED_ON_RDN

68

ENTRY_ALREADY_EXISTS

69

OBJECT_CLASS_MODS_PROHIBITED

71

AFFECTS_MULTIPLE_DSAS (LDAP v3)

80

OTHER

81

SERVER_DOWN

85

LDAP_TIMEOUT

89

PARAM_ERROR

91

CONNECT_ERROR

92

LDAP_NOT_SUPPORTED

93

CONTROL_NOT_FOUND

94

NO_RESULTS_RETURNED

95

MORE_RESULTS_TO_RETURN

96

CLIENT_LOOP

97

REFERRAL_LIMIT_EXCEEDED

Extended Operation Name	Description	OID
Directory Server 6.x Start Replication Request	Sent by a replication initiator to indicate that a replication session is requested.	2.16.840.1.113730.3.5.3
Directory Server 6.x Replication Response	Sent by a replication responder in response to a Start Replication Request Extended Operation or an End Replication Request Extended Operation.	2.16.840.1.113730.3.5.4
Directory Server 6.x End Replication Request	Sent to indicate that a replication session is to be terminated.	2.16.840.1.113730.3.5.5
Directory Server 6.x Replication Entry Request	Carries an entry, along with its state information (csn and UniqueIdentifier) and is used to perform a replica initialization.	2.16.840.1.113730.3.5.6
Directory Server 6.x Bulk Import Start	Sent by the client to request a bulk import together with the suffix being imported to and sent by the server to indicate that the bulk import may begin.	2.16.840.1.113730.3.5.7
Directory Server 6.x Bulk Import Finished	Sent by the client to signal the end of a bulk import and sent by the server to acknowledge it.	2.16.840.1.113730.3.5.8

Result Code	Defined Value
0	`SUCCESS`
1	`OPERATION_ERROR`
2	`PROTOCOL_ERROR`
3	`TIME_LIMIT_EXCEEDED`
4	`SIZE_LIMIT_EXCEEDED`
5	`COMPARE_FALSE`
6	`COMPARE_TRUE`
7	`AUTH_METHOD_NOT_SUPPORTED`
8	`STRONG_AUTH_REQUIRED`
9	`LDAP_PARTIAL_RESULTS`
10	`REFERRAL (LDAP v3)`
11	`ADMIN_LIMIT_EXCEEDED (LDAP v3)`
12	`UNAVAILABLE_CRITICAL_EXTENSION (LDAP v3)`
13	`CONFIDENTIALITY_REQUIRED (LDAP v3)`
14	`SASL_BIND_IN_PROGRESS`
16	`NO_SUCH_ATTRIBUTE`
17	`UNDEFINED_ATTRIBUTE_TYPE`
18	`INAPPROPRIATE_MATCHING`
19	`CONSTRAINT_VIOLATION`
20	`ATTRIBUTE_OR_VALUE_EXISTS`
21	`INVALID_ATTRIBUTE_SYNTAX`
32	`NO_SUCH_OBJECT`
33	`ALIAS_PROBLEM`
34	`INVALID_DN_SYNTAX`
35	`IS_LEAF`
36	`ALIAS_DEREFERENCING_PROBLEM`
48	`INAPPROPRIATE_AUTHENTICATION`
49	`INVALID_CREDENTIALS`
50	`INSUFFICIENT_ACCESS_RIGHTS`
51	`BUSY`
52	`UNAVAILABLE`
53	`UNWILLING_TO_PERFORM`
54	`LOOP_DEFECT`
64	`NAMING_VIOLATION`
65	`OBJECT_CLASS_VIOLATION`
66	`NOT_ALLOWED_ON_NONLEAF`
67	`NOT_ALLOWED_ON_RDN`
68	`ENTRY_ALREADY_EXISTS`
69	`OBJECT_CLASS_MODS_PROHIBITED`
71	`AFFECTS_MULTIPLE_DSAS (LDAP v3)`
80	`OTHER`
81	`SERVER_DOWN`
85	`LDAP_TIMEOUT`
89	`PARAM_ERROR`
91	`CONNECT_ERROR`
92	`LDAP_NOT_SUPPORTED`
93	`CONTROL_NOT_FOUND`
94	`NO_RESULTS_RETURNED`
95	`MORE_RESULTS_TO_RETURN`
96	`CLIENT_LOOP`
97	`REFERRAL_LIMIT_EXCEEDED`

Last Updated August 16, 2002


Note	Directory Server provides a script, which can analyze access logs to extract usage statistics and count the occurrences of significant events. For details about this script, see "logconv.pl (Log converter)".


Note	`tag=100` and `tag=115` are not result tags as such and so it is unlikely that you will see them in your access log.


Note	An unindexed search indicator is often accompanied by a large `etime` value, as unindexed searches are generally more time consuming.


Note	The Directory Server operation number starts counting at 0 and in the majority of LDAP SDK/client implementations the message ID number starts counting at 1, which explains why the message ID is frequently equal to the Directory Server operation number plus 1.


Note	Directory Server access log now distinguishes between persistent and regular searches, which was not the case for previous Directory Server releases.