####### dirsrv status querying

* use local socket
ldapsearch -Y EXTERNAL -H 'ldapi://%2Fvar%2Frun%2Fslapd-some_host.socket'

* local IPA client query w/ active kerberos ticket
/usr/bin/ldapsearch -Y GSSAPI -h phobos.some_host -o ldif-wrap=no -LLL

* monitor connections to server(s)
*
* note threads, currentconnections, readwaiters (data to be read from client)
*
ldapsearch [...] -s base -b cn=monitor '(objectclass=*)'

* Check for conflicts
ldapsearch [...] "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" \* nsds5ReplConflict



######### dirsrv access log details

* ABANDON entries
targetop refers to previous logged op and was SUCCESSFUL
msgid refers to previous logged op and was NOT SUCCESSFUL

* notes=U entry refers to an unindexed search operation
nsslapd-idlistscanlimit was reached within the index file used for the search.
no index file existed.
the index file was not configured in the way required by the search. 

* LDAP operations
SRCH    = search MOD    = modify
DEL     = delete ADD    = add
MODDN   = moddn  EXT    = extended operation
ABANDON = abandon operation    

* LDAP results
RESULT
ENTRY
REFERRAL (an LDAP referral or search reference) 


# LDAP return codes
0=SUCCESS 1=OPERATION_ERROR 2=PROTOCOL_ERROR 3=TIME_LIMIT_EXCEEDED
4=SIZE_LIMIT_EXCEEDED 5=COMPARE_FALSE 6=COMPARE_TRUE 7=AUTH_METHOD_NOT_SUPPORTED
8=STRONG_AUTH_REQUIRED 9=LDAP_PARTIAL_RESULTS 10=REFERRAL 11=ADMIN_LIMIT_EXCEEDED
12=UNAVAILABLE_CRITICAL_EXTENSION 13=CONFIDENTIALITY_REQUIRED 14=SASL_BIND_IN_PROGRESS 16=NO_SUCH_ATTRIBUTE
17=UNDEFINED_ATTRIBUTE_TYPE 18=INAPPROPRIATE_MATCHING 19=CONSTRAINT_VIOLATION 20=ATTRIBUTE_OR_VALUE_EXISTS
21=INVALID_ATTRIBUTE_SYNTAX 32=NO_SUCH_OBJECT 33=ALIAS_PROBLEM 34=INVALID_DN_SYNTAX
35=IS_LEAF 36=ALIAS_DEREFERENCING_PROBLEM 48=INAPPROPRIATE_AUTHENTICATION 49=INVALID_CREDENTIALS
50=INSUFFICIENT_ACCESS_RIGHTS 51=BUSY 52=UNAVAILABLE 53=UNWILLING_TO_PERFORM
54=LOOP_DEFECT 64=NAMING_VIOLATION 65=OBJECT_CLASS_VIOLATION 66=NOT_ALLOWED_ON_NONLEAF
67=NOT_ALLOWED_ON_RDN 68=ENTRY_ALREADY_EXISTS 69=OBJECT_CLASS_MODS_PROHIBITED 71=AFFECTS_MULTIPLE_DSAS
80=OTHER 81=SERVER_DOWN 85=LDAP_TIMEOUT 89=PARAM_ERROR
91=CONNECT_ERROR 92=LDAP_NOT_SUPPORTED 93=CONTROL_NOT_FOUND 94=NO_RESULTS_RETURNED
95=MORE_RESULTS_TO_RETURN 96=CLIENT_LOOP 97=REFERRAL_LIMIT_EXCEEDED

# LDAP tag codes
#
# tags 100 and 115 are not "real" tags and will unlikely be seen in the log
#
Tag=97 	Result from a client bind operation.
Tag=100 The actual entry being searched for.
Tag=101 Result from a search operation.
Tag=103 Result from a modify operation.
Tag=105 Result from an add operation.
Tag=107 Result from a delete operation.
Tag=109 Result from a moddn operation.
Tag=111 Result from a compare operation.
Tag=115 Search reference when the entry on which the search was performed holds a referral to the required entry.  
	Search references are expressed in terms of a referral.
Tag=120 Result from an extended operation.
Tag=121 Result from an intermediate operation.


LDAP connection codes
A1=Client aborts the connection.
B1=Corrupt BER tag encountered. BER tags can be corrupted due to physical layer network problems or bad LDAP client operations
   like client aborting before receiving all request results.
B2=BER tag is longer than the nsslapd-maxbersize attribute value
B3=Corrupt BER tag encountered.
B4=Server failed to flush data response back to client.
P2=Closed or corrupt connection has been detected.
T1=Client does not receive a result within the specified idletimeout period.
T2=Server closed connection after ioblocktimeout period was exceeded.
U1=Connection closed by server after client sends an unbind request.

LDAP access log codes
conn            = connection number, starts at 0 following dirsrv restart
fd              = file descriptor
slot            = fd for legacy
op              = operation number per connection, starts at 0
method          = LDAPv3 bind method used; 0 for authentication, 128 for simple bind with user password, sasl for sasl bind mechanism
err             = error number, check result codes
tag             = type of result returned 
nentries        = number of entries returned
elapsed time    = time in seconds


# Example log entries
[19/Mar/2020:11:30:22.635740300 -0400] conn=1718741 op=17 SRCH base="cn=Default Trust View,cn=views,cn=accounts,some_host" scope=2 filter="(&(objectClass=ipaUserOverride)(uid=postf
ix))" attrs=ALL
[19/Mar/2020:11:30:22.635923501 -0400] conn=1718741 op=17 RESULT err=0 tag=101 nentries=0 etime=0.0030348891
[19/Mar/2020:11:30:22.655834615 -0400] conn=1718741 op=18 ABANDON targetop=16 msgid=17 nentries=0 etime=20.0058818802
[19/Mar/2020:11:30:22.659071709 -0400] conn=1718741 op=19 ABANDON targetop=NOTFOUND msgid=18