The logging you see for classes under org.sonatype.nexus.ldap are not adequate to debug/diagnose common problems.
An Example concern is logging implemented like this.
This type of code throws away the root cause line numbers and stack trace. When it is used to construct messages like this:
Another example, trying to log the queries being made by application code:
The "filter" is logged here, but not all the filter values. Thus one has no idea the actual ldap search query performed by looking at the message.
All exceptions should be logged.
If an exception is logged, log at INFO or above ( WARN,ERROR) its "message", if DEBUG level is set, then log the complete stack trace as well
If ANY LDAP queries are made, ensure by reading the log message, one knows exactly the query issued to the LDAP server ( not just the inferred query ). one should be able to take the logged query and give it to an ldapsearch command and have it "just work".