LDAPDebug – Detailed LDAP Task Debugging (HCL Domino)

Parameter: LDAPDebug

Short description: Activates detailed debug logging of the LDAP task in HCL Domino — bind attempts, search filters, schema lookups, and referrals.

Profile

Parameter	`LDAPDebug`
Category	Logging / Debug
Component	Server
Available since	9.0.1 (and earlier)
Supported versions	9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1
GUI equivalent	notes.ini only (no GUI)
Possible values	`0` = off (default) • `1` = Query • `2` = Result • `3` = 1+2 • `4` = Authentication • `5` = 1+4 • `6` = 2+4 • `7` = all • `8–15` = even more verbose

Description

LDAPDebug activates a binary-graded debug logging for the LDAP task of the Domino server. Depending on the value set, Domino logs different aspects of an LDAP operation:

Query information (bit 1): received search filter, base DN, scope, attribute list

Result information (bit 2): returned entries, number of hits, result codes

Authentication information (bit 4): LDAP bind attempts, DN used, success/failure

The values are combined as bit flags: LDAPDebug=7 enables Query + Result + Authentication together, LDAPDebug=5 only Query + Authentication, etc. Values between 8 and 15 provide even more detailed information (internal schema lookups, referral chasing).

The parameter is the standard tool to diagnose situations where LDAP searches return unexpected results, external LDAP clients fail to bind, Directory Assistance lookups fail, or LDAP-based authentication does not work in an application.

Example configuration


LDAPDebug=7
Debug_Outfile=c:\debug\ldap.txt

Runtime activation without server restart — takes effect after restart task ldap:


set config LDAPDebug=7
restart task ldap

Deactivate again after analysis:


set config LDAPDebug=0
restart task ldap

Notes & pitfalls

Takes effect only for the LDAP task, not for LDAP searches Domino performs internally via Directory Assistance / NAB lookups.

For persistent output, always set Debug_Outfile=... — otherwise the output only appears transiently in the console or console log.

Changes usually only take effect after restart task ldap (not after a short wait as with many other LDAP configuration values).

Log volume can grow very rapidly on busy LDAP servers — plan for log rotation/CONSOLE_LOG_MAX_KBYTES, do not leave permanently active.

Pairs well with WEBAUTH_VERBOSE_TRACE (web auth view) and Log_Authentication (NRPC auth view).

Security note: at the authentication tracing level (bit 4), bind DNs appear in the log file — review before delivering to support.

Sources (HCL Product Documentation)

HCL Domino C API – "LDAP DEBUG API" (opensource.hcltechsw.com): opensource.hcltechsw.com/domino-c-api-docs/reference/Symb/LDAP_DEBUG_API/

HCL Domino 11.0.1 – "Customizing the LDAP service configuration": help.hcl-software.com/domino/11.0.1/admin/conf_customizingtheldapserviceconfiguration_c.html

HCL Domino 11.0.1 – "LDAP activity logging": help.hcl-software.com/domino/11.0.1/admin/admn_ldapactivitylogging_r.html

HCL Customer Support – KB0033475 "Troubleshooting and debugging the Directory Assistance wizard": support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0033475