How to take a LDAP NMAS trace for DSfW/eDir

  • 7009602
  • 19-Oct-2011
  • 23-Jan-2014

Environment

Open Enterprise Server 2 SP2 (OES2SP2)
Open Enterprise Server 2 SP3  (OES2SP3)
Open Enterprise Server 11 (OES11)
Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSfW
eDirectory

Situation

It might be necessary to take a LDAP/NMAS trace to trouble shoot a DSfW/eDir issue.
When applications are authentication to the DSfW domain, the DSfW services will package up the request (RPC/Kerberos/CIFS) and send it to eDir via ldap and nmas.  The LDAP/NMAS trace will report the information being sent to eDir so the data can be evaluated.

Resolution

Taking a LDAP/NMAS trace

To take the ldap trace first check the screen options
ldapconfig get |grep -i "ldap screen level"
 
Be sure the screen level is set to "all" or to "Operation| Connection| Config| Extensions| Error| Critical| DataConnection"
If not use the ldapconfig -s command to set the screen level.

Example:
ldapconfig -s "ldap screen level= Operation| Connection| Config| Extensions| Error| Critical| DataConnection" -a admin.novell
or
ldapconfig -s "ldap screen level=all" -a admin.novell
 
Start the trace
ndstrace  #brings up the ndstrace utility

set dstrace = nodebug  #Clear the filter

dstrace NMAS LDAP TIME TAGS AUTH   #Enable the LDAP, NMAS, TIME, TAGS, and AUTH. 
Start with the filter options above.  They will provide most of the information needed for LDAP and NMAS.
Other flags that might be helpful are VCLN, RSLV, DBG, CBUF, ABUF, RECM, and MISC.

set ndstrace = *r   #Clear the log or rename the /var/opt/novell/eDirectory/log/ndstrace.log

ndstrace on   #Start the logging and execute your command or task

set ndstrace = off   #This will stop logging

quit  #Exit ndstrace

You might want to increase the ndstrace.log file max size.  The command to set the file max size is:
ndstrace fmax=10000000

To configure ndstrace.log log rotation read TID 7010885

Additional Information

Download ndsPacketTrace to easily take ndstraces and packet traces.
This will work for all linux servers running eDirectory.